Incorrect Access Control - Don't require a password on the local network (CVE-2021-25827)

[Xitro01]

Two years ago I reported an issue regarding the "Don't require a password on the local network" function in Emby Media Server. This function was susceptible to a login bypass attack by setting the X-Forwarded-For header to a local IP-address: By using the X-Forwarded-For header and set this to a local IP address (e.g. 192.168.1.1/127.0.0.1) it is possible to bypass the IP whitelist feature, but not only that, it's possible to bypass authentication completely in some cases where the feature "Don't require a password on the local network" is used.

This issue has been resolved in version 4.7.12.0 "Don't allow local network addresses to be specified in x-forwarded-for and x-real-ip"

I tested this and I confirm that this issue has been resolved. This vulnerability is known as CVE-2021-25827.

[softworkz]

This vulnerability is known as CVE-2021-25827.

Do you have a link to this? It doesn't seem to be available in the NIST or MITRE databases.

Thanks

[Xitro01]

This vulnerability is known as CVE-2021-25827.

Do you have a link to this? It doesn't seem to be available in the NIST or MITRE databases.

Thanks

Still pending, MITRE needs a public reference:

CVE's that are ** RESERVED ** will remain in a pending state until we are provided with at least one public reference that follows the CVE Entry Reference Requirement rules in section 8.3

This is the reason I created these issues.

[softworkz]

I'm sorry that we missed to properly credit you for reporting this. Those were tough weeks for us and I didn't even think about researching earlier reports and by whom they were submitted.

[Xitro01]

I'm sorry that we missed to properly credit you for reporting this. Those were tough weeks for us and I didn't even think about researching earlier reports and by whom they were submitted.

No problem at all. The only thing that I'm bothered with is that thousands of machines got infected, which could be prevented.

By the way, it's never to late to still credit someone for it. That's always appreciated! :)

[softworkz]

By the way, it's never to late to still credit someone for it. That's always appreciated! :)

That's why I was asking for a link where you submitted that CVE?

[Xitro01]

By the way, it's never to late to still credit someone for it. That's always appreciated! :)

That's why I was asking for a link where you submitted that CVE?

MITRE. I can send you the CVE form (received the response with the CVE id this Tuesday) if you give me an e-mail address where I can send it to.

It will be published soon I think, but it already took MITRE 2 years to generate these CVE id's, so who knows.

Here is the link, you can see it's reserved: https://www.cve.org/CVERecord?id=CVE-2021-25827

[softworkz]

I thought submissions always needs to go through a subsidiary. Or did MITRE accept direct submissions at that time?

But anyway, let me know once it's published, then I will gladly add a cross-reference to "your" CVE.

[Xitro01]

That might have been the reason it took a long time, but at the time it was possible to do a direct submission.

Will certainly do when it's published!

[softworkz]

In case you haven't seen yet, we also have an official advisory (what you quoted in the other issue were just our instructions for affected users):

• https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf
• https://nvd.nist.gov/vuln/detail/CVE-2023-33193

[Xitro01]

In case you haven't seen yet, we also have an official advisory (what you quoted in the other issue were just our instructions for affected users):

• GHSA-fffj-6fr6-3fgf
• https://nvd.nist.gov/vuln/detail/CVE-2023-33193

Thank you, just submitted another request to MITRE with these links attached.

[Xitro01]

And by the way, I reported the vulnerabilities to Luke in 2021, through a PM on the Emby forum.

Maybe an idea to create some kind of security e-mail box (Responsible Disclosure) that all devs receive, so that these kind of things get picked up faster?

[softworkz]

PM Luke, ebr, softworkz, then it shouldn't become overlooked. Thanks

[Xitro01]

I thought submissions always needs to go through a subsidiary. Or did MITRE accept direct submissions at that time?

But anyway, let me know once it's published, then I will gladly add a cross-reference to "your" CVE.

It's now published https://www.cve.org/CVERecord?id=CVE-2021-25827

Here it is on the old website of MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25827

And here all Emby vulnerabilities, which includes "my" CVE from 2021 and the newer one from 2023: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Emby

I see that NIST also has this CVE now: https://nvd.nist.gov/vuln/detail/CVE-2021-25827

[softworkz]

This shows neither your name, nor a description of the vulnerability...?

[Xitro01]

This shows neither your name, nor a description of the vulnerability...?

What do you mean? A CVE never shows the name of the researcher (unfortunately). And it shows the description of the vulnerability. Have you refreshed the cache of your browser?

Here is the whole request response e-mail from MITRE in 2023 about what I requested in 2021:

This email contains information regarding your CVE ID request reports. Each CVE ID request summary is followed by directions or comments for that request.

CVE's that are ** RESERVED ** will remain in a pending state until we are provided with at least one public reference that follows the CVE Entry Reference Requirement rules in section 8.3 (https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-3_cve_record_reference_requirements).

For the reports that are given a CVE ID, please be sure to update their respective references to include their assigned CVE IDs.

When the candidates are publicized, please send us the link to the advisory using[ https://cveform.mitre.org](https://cveform.mitre.org/) with "Notify CVE about a publication" as the request type.

---------------------------------------------------------------

> [Vulnerability Type]

>> Incorrect Access Control

---------------------------------------------------------------

> [Additional Information]

>> This vulnerability type is also explained here:

>>[ https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/](https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/)

---------------------------------------------------------------

> [Affected Component]

>> Emby client and administration panel

---------------------------------------------------------------

> [Attack Type]

>> Remote

---------------------------------------------------------------

> [Impact Escalation of Privileges]

>> true

---------------------------------------------------------------

> [Impact Information Disclosure]

>> true

---------------------------------------------------------------

> [Attack Vectors]

>> To exploit this vulnerability an attacker needs to set the

>> X-Forwarded-For header to a local IP address, in most cases

>> 192.168.1.1 works.

---------------------------------------------------------------

> [Discoverer]

>> Christopher Simmelink

---------------------------------------------------------------

> [Reference]

>>[ http://emby.com](http://emby.com/)

>>[ https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/](https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/)

---------------------------------------------------------------

> [Vendor of Product]

>> Emby

---------------------------------------------------------------

> [Affected Product Code Base]

>> Emby Web Affected versions: < 4.5.4.0 - No fix released

>> yet, I tried contacting Emby without any luck so far.

---------------------------------------------------------------

Use CVE-2021-25827 for:

** RESERVED ** An issue was discovered in client and administration panel in Emby Web versions 4.5.4.0 and prior, allows attackers to gain escalated privileges and gain sensitive information via crafted X-Forwarded-For parameter to the HTTP request.

Changes, additions, or updates to your request should be sent via a new CVE ID Request through our webform at[ https://cveform.mitre.org/](https://cveform.mitre.org/). You may reference this service request number (1011828) if you need to refer back to this specific report.

Thank you,

CVE Assignment Team

M/S M300, 202 Burlington Road, Bedford, MA 01730 USA

[A PGP key is available for encrypted communications at

http://cve.mitre.org/cve/request_id.html]```

[Xitro01]

This shows neither your name, nor a description of the vulnerability...?

Please see my updated message for all the links regarding the CVE.

[softworkz]

And here all Emby vulnerabilities, which includes "my" CVE from 2021 and the newer one from 2023: cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Emby

All other vulnerabilities have links to the original reports. Yours has only links to URLs which didn't exist in 2021... And the request you posted doesn't include any description of the vulnerability, only a link to a blog entry from 2017 which is about something similar only.

Two years ago I reported an issue regarding the "Don't require a password on the local network" function in Emby Media Server. This function was susceptible to a login bypass attack by setting the X-Forwarded-For header to a local IP-address:

Where did you report this? Did you send a a PM to Luke, then I can check back. What's your forums user name?

Thanks!

[Xitro01]

And here all Emby vulnerabilities, which includes "my" CVE from 2021 and the newer one from 2023: cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Emby

All other vulnerabilities have links to the original reports. Yours has only links to URLs which didn't exist in 2021... And the request you posted doesn't include any description of the vulnerability, only a link to a blog entry from 2017 which is about something similar only.

Two years ago I reported an issue regarding the "Don't require a password on the local network" function in Emby Media Server. This function was susceptible to a login bypass attack by setting the X-Forwarded-For header to a local IP-address:

Where did you report this? Did you send a a PM to Luke, then I can check back. What's your forums user name?

Thanks!

I simply did not made anything public as it was not fixed yet out of courtesy and didn’t want others to abuse the vulnerability.

I sent Luke a PM in 2021, my forum username: Xitro

[softworkz]

I simply did not made anything public as it was not fixed yet out of courtesy and didn’t want others to abuse the vulnerability.

Yes of course, thanks for that.

I sent Luke a PM in 2021, my forum username: Xitro

Confirmed. All good. Do you want to be mentioned as "Christopher Simmelink", Xitro(forum member) or both?

[Xitro01]

I simply did not made anything public as it was not fixed yet out of courtesy and didn’t want others to abuse the vulnerability.

Yes of course, thanks for that.

I sent Luke a PM in 2021, my forum username: Xitro

Confirmed. All good. Do you want to be mentioned as "Christopher Simmelink", Xitro(forum member) or both?

Christopher Simmelink is fine, thanks!

[softworkz]

Done. (https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf)

Thanks again, sw