Plex Media Server shipping with vulnerable version of libcurl

Plex Media Server
1

Server Version#: 1.32.6.7557 / Ubuntu

Running on Ubuntu 20.04

Looks like PMS is running an outdated version of libcurl

The output that was sent to me:
Path : /usr/lib/plexmediaserver/lib/libcurl.so.4
Installed version : 7.88.1
Fixed version : 8.4.0

2

Thanks for letting us know.

I will notify Engineering.

Given libcurl seems to always have a CVE against it, there might not be any way of having a totally bug-free libcurl.

A saving grace here is that libcurl only talks to Plex.tv and other Plex servers.
It’s not as open & vulnerable as the libcurl shippped with Ubuntu 20.04 itself, true?

20.04 LTS is still using:

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3

3

So the Ubuntu box in question:

Path : libcurl3-gnutls (via package manager)
Version : 7.68.0-1
Managed by OS : True

Path : libcurl4 (via package manager)
Version : 7.68.0-1
Managed by OS : True

Path : /usr/lib/plexmediaserver/lib/libcurl.so.4
Version : 7.88.1

Looking at my KB for the scan:
The curl_7.68.0-1ubuntu2.20 / libcurl3-gnutls_7.68.0-1ubuntu2.20 / libcurl4_7.68.0-1ubuntu2.20 packages are installed and not affected.

Confirmed its based on the OS: CVE-2023-38545

@ChuckPa

4

See how bad 20.04 itself is?

Yuck. Plex is ahead of 20.04.6 LTS

As I said, I’m going to write this up for engineering to review and update.

I agree the CVE should be addressed.
Is it a gaping vulnerabiltiy? NO it’s not. libcurl in Plex talks from PMS → Plex.tv

5

@RevitXman

I’m preparing the submission to Engineering for this.

I apologize but cannot find where Plex’s libcurl.so.4 refers to anything listed in
CVE-2023-38545

Can you help me please because readelf isn’t helping.

A full sweep of my Ubuntu 20.04.6 LTS box shows:

[chuck@lizum ~.1999]$ find /lib* /usr/lib* -name libcurl\* -print
/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.3
/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4
/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.6.0
/usr/lib/x86_64-linux-gnu/libcurl.so.4
/usr/lib/x86_64-linux-gnu/libcurl.so.4.6.0
/usr/lib/vmware/lib/libcurl.so.4
/usr/lib/vmware/lib/libcurl.so.4/libcurl.so.4
/usr/lib/vmware-ovftool/libcurl.so.4
/usr/lib/plexmediaserver/lib/libcurl.so.4
/usr/lib/build/lib/libcurl.so.4
[chuck@lizum ~.2000]$

Plex’s libcurl.so.4 is not Ubuntu’s libcurl.so.4.
readelf easy confirms this.

This:

[chuck@lizum ~.2000]$ readelf -a /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0xead0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          582456 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         11
  Size of section headers:           64 (bytes)
  Number of section headers:         29
  Section header string table index: 28

Versus

[chuck@lizum ~.1997]$ cd /usr/lib/plexmediaserver/
[chuck@lizum plexmediaserver.1998]$ cd lib
[chuck@lizum lib.1999]$ readelf -a libcurl.so.4 
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x225b0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          444504 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         10
  Size of section headers:           64 (bytes)
  Number of section headers:         30
  Section header string table index: 27

Again, I’m sorry. I’m having a bad day and not connecting the dots

7

ALL

Just got updated from Engineering.

  1. This CVE and fix was published just last week. Engineering was notified immediately.
    (Part of the delay was waiting for the fix to be published)

  2. They reviewed the code and found that it only affected PMS if someone set a very long string to a certain env variable as PMS launched.
    – There is an implication here that the machine is compromised (an altered PMS startup environment) but not the point here.

  3. In spite of the effective non-impact operating condition, the module was updated anyway.

  4. The updated libcurl.so will be released in the next PMS release.

8

sorry for the late reply. Plex.tv is blocked at work so I couldn’t update this. So I assume after this last post I dont need to chase this down?

9

@RevitXman

No, no need to chase this down. They were so far ahead of me that I had to catch up.

The testing is almost complete.
There was a problem with it on ARMv7 platforms – which is resolved and retesting.

This is all in our “alpha build” stage and will be included when the release comes out

10

Great thanks!

11

Thank you