CVE-2021-42835 in Media Serverinfo

Summary

by MITRE • 12/08/2021

An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of the update service component. This RPC functionality allows the attacker to interact with the RPC functionality and execute code from a path of his choice (local, or remote via SMB) because of a TOCTOU race condition. This code execution is in the context of the Plex update service (which runs as SYSTEM).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 12/11/2021

The vulnerability identified as CVE-2021-42835 represents a critical privilege escalation flaw within Plex Media Server version 1.24.4.5081-e362dc1ee and earlier releases. This security weakness stems from a race condition in the update service component's remote procedure call functionality, creating a window of opportunity for malicious actors to exploit a low-privileged user account and elevate their privileges to SYSTEM level access. The vulnerability specifically targets the RPC service that is exposed to network endpoints, making it accessible to attackers who have already gained initial access to a compromised system.

The technical exploitation of this vulnerability relies on a time-of-check to time-of-use race condition, which is classified as CWE-367. This type of race condition occurs when the system performs a check to determine if an operation is allowed and then subsequently performs the operation after a time gap, during which the system state may have changed. In this case, the attacker can manipulate the system state between the time the RPC service validates access permissions and when the actual code execution occurs. The RPC service component, which operates under the SYSTEM context, allows for code execution from arbitrary paths, either local or remote via SMB protocols, providing attackers with a powerful vector for system compromise.

The operational impact of this vulnerability is severe as it enables attackers to achieve SYSTEM-level privileges with minimal initial access requirements. Once a foothold is established through a low-privileged user account, the attacker can leverage this vulnerability to execute arbitrary code within the context of the Plex update service, which runs with the highest privileges available on the Windows system. This privilege escalation capability allows for complete system compromise, enabling attackers to access sensitive data, modify system configurations, install additional malware, or establish persistent backdoors. The vulnerability's exposure through network-accessible RPC services makes it particularly dangerous as it can be exploited remotely without requiring physical access to the target system.

Security mitigations for this vulnerability should focus on immediate patching of affected Plex Media Server installations to version 1.24.5.5183 or later, which contains the necessary fixes for the race condition. Network segmentation and firewall rules should be implemented to restrict access to the Plex update service RPC endpoints, limiting exposure to trusted networks only. Additionally, organizations should consider implementing network monitoring to detect unusual RPC activity patterns that might indicate exploitation attempts. The principle of least privilege should be enforced by ensuring that the Plex update service runs with minimal required permissions, and regular security audits should be conducted to identify and remediate similar race condition vulnerabilities in other system components. This vulnerability aligns with ATT&CK technique T1068, which covers 'Exploitation for Privilege Escalation', and demonstrates how seemingly minor implementation flaws can create significant security risks.

Reservation

10/22/2021

Disclosure

12/08/2021

Moderation

accepted

CPE

ready

EPSS

0.01166

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!