Vulnerability disclosure: New Jellyfin users are mistakenly made admins and can read the LDAP bind password #174

Closed
opened 2022-08-05 18:09:17 +00:00 by a · 0 comments
Owner

This security vulnerability has been fixed. It has been exploited at least once, and probably only once.

Thanks again to @ersei for discovering this serious vulnerability. This is their description of the attack:

What I did was log onto Jellyfin, find out that I have an admin account due to an LDAP misconfig (the filter was incorrect), get the LDAP bind PW, port forward with SSH, create a new user with a GID of 998 (wheel), and just su into that user from my account, and do sudo -i.

Jellyfin has been fixed to now no longer make new users admins. All old users have also been demoted from being admins.

I also configured SSSD to not allow LDAP users with a UID or GID under 1001, for a second countermeasure in case an attacker acquires the LDAP password.

**This security vulnerability has been fixed. It has been exploited at least once, and probably only once.** Thanks again to @ersei for discovering this serious vulnerability. This is their description of the attack: > What I did was log onto Jellyfin, find out that I have an admin account due to an LDAP misconfig (the filter was incorrect), get the LDAP bind PW, port forward with SSH, create a new user with a GID of 998 (wheel), and just su into that user from my account, and do sudo -i. Jellyfin has been fixed to now no longer make new users admins. All old users have also been demoted from being admins. I also configured SSSD to not allow LDAP users with a UID or GID under 1001, for a second countermeasure in case an attacker acquires the LDAP password.
a added the
bug
security
labels 2022-08-05 18:09:17 +00:00
a added this to the (deleted) project 2022-08-05 18:09:17 +00:00
a closed this issue 2022-08-05 18:09:44 +00:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#174
No description provided.