Update Your Plex Server Now to Fix This Security Vulnerability
Bug bounty programs have emerged as a crucial component in fortifying the security of the software that seamlessly integrates into our daily lives. In the context of Plex, a newly identified vulnerability underscores the value of these programs, necessitating immediate action – update your Plex software at your earliest convenience.
Plex has issued a cautionary alert to its user base, urging them to promptly update their software to remedy a recently unearthed vulnerability, the specifics of which remain undisclosed. Such direct communication to users running particular server versions signals the severity of the issue in question.
This critical security vulnerability affects Plex Media Server versions ranging from 1.41.7.x to 1.42.0.x. A notification was dispatched to users on a Thursday, four days subsequent to the quiet deployment of a patch. Plex conveyed that the vulnerability was reported dutifully through its bug bounty program. They stated, “Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses.” Despite the acknowledgment, Plex has been reticent about divulging the specifics and severity of this flaw. As of now, even a CVE-ID, the universal standard for recognizing cybersecurity vulnerabilities, has yet to be assigned.
Moreover, Plex hasn’t offered any technical insight that might elucidate whether the bug permits data exposure, service denial, or a more hazardous remote code execution (RCE) attack. This cautious reticence is understandable. By keeping the vulnerability out of the public domain, Plex aims to discourage bad actors from investigating potential vulnerabilities or understanding how to exploit them. However, threat actors could potentially reverse-engineer the update to uncover the underlying weakness, which underscores the necessity for swift action in downloading and applying the update. The longer users delay updating, the greater the window of opportunity for potential exploits on those unpatched servers. Plex’s unusual step of emailing users directly signifies the seriousness of this vulnerability.
Historically, Plex has wrestled with significant security challenges, some with repercussions extending beyond its immediate ecosystem. Notably, in March 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a three-year-old Plex vulnerability, designated as CVE-2020-5741, in its registry of known vulnerabilities that have been exploited. This RCE vulnerability posed a risk of enabling attackers to execute arbitrary code on unwary users’ servers upon successful exploitation.
The reinforced and secure version is Plex Media Server 1.42.1.10060, readily accessible via the server’s integrated update system or directly from the official Plex download platform. For those maintaining a Plex server, it is imperative to install this update without delay.
Source: Bleeping Computer
