Bug bounty programs are extremely useful to reinforce security in the software we use daily. If you use Plex, a vulnerability has been discovered via said program—and you’ll want to update as soon as you get a chance, because it sounds serious.
Plex has started warning users that they should immediately update their software to patch a newly discovered, yet-to-be-detailed vulnerability. The company took the unusual step of directly emailing users running affected server versions, so it must be a pretty serious one.
The security issue impacts Plex Media Server versions 1.41.7.x through 1.42.0.x. In an email sent to users on Thursday, four days after the patch was quietly released, Plex confirmed the vulnerability was responsibly disclosed through its bug bounty program. According to Plex, “thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses.” However, Plex has remained tight-lipped about the nature and severity of the flaw. As of the time I’m writing this, not even a CVE-ID, the standard identifier for publicly known cybersecurity vulnerabilities, has been assigned.
The company has also not provided any technical details that would clarify whether the bug could allow data exposure, denial of service, or a more severe remote code execution (RCE) attack. This is fine, though. Since it’s not a publicly disclosed vulnerability, Plex doesn’t want attackers to go poking around possible entry points and potentially coming across the vulnerability by themselves, and it also doesn’t want them to know how much, or how little, they can do with it. What they can do, however, is reverse-engineer the update to identify the underlying vulnerability, so you’ll want to download it as soon as you can. Once understood, they can develop exploits to target any servers that remain unpatched—you’d be surprised by the number of people who decide to just never update their servers. Seeing how the company felt it necessary to actually email people about it, it’s definitely more on the serious side.
Plex has contended with serious security issues in the past, with some having far-reaching consequences beyond its own ecosystem. In March 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a three-year-old Plex vulnerability, identified as CVE-2020-5741, to its catalog of known exploited vulnerabilities. This RCE flaw, if successfully exploited, could allow an attacker to execute arbitrary code on a user’s server.
The patched and secure version is Plex Media Server 1.42.1.10060, which is available through the server’s built-in update mechanism or directly from the official Plex downloads page. If you have a Plex server, download the update as soon as you can.
Source: Bleeping Computer