Executive Summary

CVE-2017-20220 is an improper access control vulnerability in Serviio PRO version 1.8 and earlier. It affects the Configuration REST API, which allows unauthenticated remote attackers to change the mediabrowser login password without any authentication.

Attackers exploit this by sending specially crafted HTTP PUT requests with an XML payload to the REST API endpoint `/rest/remote-access`. This payload includes a new password inside the `<remoteUserPassword>` tag along with other configuration parameters. Because the API does not enforce authentication, the attacker can arbitrarily modify the login credentials.

This vulnerability affects Serviio PRO running on Windows, Mac OS X, and Linux systems, and targets the default ports 23423 (console) and 23424 (mediabrowser).

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows a remote, unauthenticated attacker to change the mediabrowser login password, effectively gaining unauthorized access to the media server's protected interface."}, {'type': 'paragraph', 'content': 'Once the attacker changes the password, they can access and potentially manipulate media streaming configurations and data, bypassing security controls.'}, {'type': 'paragraph', 'content': 'Because the attacker does not need any prior credentials or privileges, this poses a high risk of unauthorized control over the affected system.'}] [1, 2, 3, 5]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to send a specially crafted HTTP PUT request to the Configuration REST API endpoint `/rest/remote-access` on the affected Serviio PRO server, typically running on ports 23423 (console) or 23424 (mediabrowser).'}, {'type': 'paragraph', 'content': 'The request should include an XML payload containing a new password inside the `<remoteUserPassword>` tag, along with other configuration parameters. The request must have the headers `Content-Type: application/xml` and `Accept: application/xml`.'}, {'type': 'paragraph', 'content': 'If the password can be changed without authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use a Python script or a tool like curl to send such a crafted PUT request and observe if the password is changed or if the server responds without requiring authentication.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability (replace <host> with target IP or hostname):'}, {'type': 'list_item', 'content': 'curl -X PUT http://<host>:23424/rest/remote-access -H "Content-Type: application/xml" -H "Accept: application/xml" -d \'<remoteAccess><remoteUserPassword>newpassword</remoteUserPassword><preferredRemoteDeliveryQuality>HIGH</preferredRemoteDeliveryQuality><portMappingEnabled>false</portMappingEnabled><externalAddress></externalAddress></remoteAccess>\''}, {'type': 'paragraph', 'content': 'If the server accepts this request and changes the password without authentication, it confirms the presence of the vulnerability.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Serviio PRO Configuration REST API endpoints, especially `/rest/remote-access`, by implementing network-level controls such as firewall rules to limit access only to trusted hosts.

If possible, disable remote access to the mediabrowser interface or move it behind a VPN or secure network segment to prevent unauthenticated external access.

Monitor and audit access logs for any suspicious or unauthorized requests to the REST API endpoints.

Check for and apply any available patches or updates from the vendor that address this improper access control vulnerability.

As a temporary workaround, consider changing the mediabrowser login password manually and restricting access until a patch is applied.

Useful 0 Not Useful 0