What is it?
We recently became aware of an issue reported by security researchers. It was not disclosed to us prior to the publication.
It describes an issue in which Plex Media Server installations in a specific (and uncommon) network position could potentially be used to reflect UDP traffic on certain device-discovery ports as part of a possible DDoS (distributed denial-of-service) attack.
Am I affected?
The vast majority of Plex Media Server setups are not exposed or affected by this. It specifically requires that either:
- the entire device running Plex Media Server be exposed to the public internet (such as one hosted in a data center or the computer being placed in the public “DMZ” of the network router), or
- the server administrator has explicitly forwarded UDP traffic on an applicable port from the public internet to the device running Plex Media Server.
Neither of these configurations are typical for normal users. Only a very small portion of Plex Media Server instances will be potentially affected by this.
What is the impact?
This issue does not allow attackers to access any of your private data or make changes to your account. It only allows attackers to cause an affected server to “reflect” UDP packets in order to increase the volume of a denial-of-service attack against some other server or network on the public internet. These “amplification” techniques are common in a variety of widely-used, UDP-based network protocols when services are exposed directly to the public internet (such as DNS or NTP). For more information on amplification attacks and how to protect Internet-facing systems against them, we recommend you review the US-CERT article explaining them.
What can I do?
We have released a hotfix for Plex Media Server, so that the server will only respond to UDP requests from the local network (LAN) not the public internet (WAN). The fix is available in Plex Media Server v1.21.3.4014 or newer. It’s available for both public and beta users from our regular Downloads page. We recommend all users update their server installation.
Again, the vast majority of Plex Media Server users will not be affected by this issue. For those very few users with a system in one of the affected configurations, we still recommend the following for general security:
- If connected directly to the public internet, configure your server’s firewall to block traffic on the “additional” ports mentioned in this support article.
- When using a router performing NAT (this includes most consumer systems), configure it not to forward UDP traffic (on the “additional” ports mentioned in this support article) from the public internet to the device running Plex Media Server.
We will also be releasing a new version of Plex Media Server that contains a hotfix to add an extra layer of protection for those servers that may have been accidentally exposed. It will be available from our regular Downloads page soon. We’ll update this post once the new release is available.
