I tried running OpenVAS against my network’s external IP interface (WAN), and the following Plex item was highlighted with a “5.0” (medium) severity. I think it makes sense to disable TLS 1.0 and 1.1 on the Server.
The scan found this against the port opened by Plex through my router.
Summary
This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.
Vulnerability Detection Result
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
‘Vulnerable’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
Solution Solution type: Mitigation Mitigation
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
Please see the references for more resources supporting you with this task.
Affected Software/OS
Services accepting vulnerable SSL/TLS cipher suites via HTTPS.
Vulnerability Insight
These rules are applied for the evaluation of the vulnerable cipher suites:
64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
Stick a application layer firewall between Plex and the internet. Will be the quickest resolution and will centralise control of your security to be in your hands / a single vendor, rather than depending on each application developer to Do The Right Thing.
It’s more work for you in the short term, but less in the long term.
Alternatively, work out how to properly reverse proxy Plex via nginx/Apache/etc
Thanks. I do have a reverse proxy setup…
I do think however that Plex should be aware/ahead of this one as it’s easy to “fix” vs. having the less technical users doing “anything” vs. the PR issue if the worst case would occur.
Really? Plex, please, you should answer here and allow users to configure protocols and ciphers, or, at least, remove vulnerable protocols and ciphers.
To be HIPAA compliance, you must do two things related directly to Plex:
TLSv1.0 is not secure anymore and should be disabled by default.
Some ciphers enabled in Plex web interface should be disabled too. Keeping in mind that TLSv1.0 wouldn’t be allowed, it would be sufficient to disable CAMELLIA and 3DES ciphers.
Tbh I don’t think plex needs a HIPAA compliance, as HIPAA if for healthdata, however I have before requested to be able to fully mange cipher/protocols including headers for my plex server.
I run my plex behind a proxy to be able to mange this, however I would like a native way to do this…
Yes, I know. HIPAA was just an example of a compliance set.
As I said, I agree with you, the most preferred option would be to be able to fully configure available protocols, ciphers and headers.
BTW, what reverse proxy do you use? I use HAproxy, but if I set it with SSL offloading, Plex fails connecting to the cloud. Hence, I just block TLS v1.0 at this moment.
