CVE-2020-36876: Critical Unauthenticated Data Leak in ReQuest Serious Play F3 Media Server

Overview

CVE-2020-36876 describes a critical vulnerability affecting multiple versions of the ReQuest Serious Play F3 Media Server. Specifically, versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 are susceptible to an unauthenticated information disclosure flaw. This flaw allows remote, unauthenticated attackers to access the webserver’s Python debug log file, potentially exposing highly sensitive system information, credentials, file paths, running processes, and command-line arguments.

Technical Details

The vulnerability resides in the lack of access control on the message_log page of the ReQuest Serious Play F3 Media Server. By simply navigating to this page, an attacker can download the Python debug log file. This file contains a wealth of sensitive data, including:

• System configuration details
• User credentials (potentially in plaintext or easily reversible formats)
• Internal file paths and directory structures
• Lists of running processes, revealing software versions and configurations
• Command-line arguments used to launch processes, which could expose sensitive parameters

The attack vector is straightforward, requiring no authentication or specialized knowledge beyond knowing the vulnerable URL.

CVSS Analysis

Although a CVSS score is not currently available (N/A), this vulnerability represents a high-risk security flaw. The lack of authentication combined with the sensitivity of the exposed data elevates the potential impact. A CVSS score would likely be high, approaching critical, given the potential for remote code execution or complete system compromise if credentials are leaked.

Possible Impact

Successful exploitation of CVE-2020-36876 can have severe consequences, including:

• Data Breach: Exposure of sensitive user credentials and system configuration data.
• System Compromise: Attackers can use exposed credentials or file paths to gain unauthorized access to the server.
• Lateral Movement: Compromised credentials can be used to access other systems on the network.
• Denial of Service: Information gathered from the logs can be used to craft targeted attacks that disrupt the server’s operation.
• Remote Code Execution: Depending on the exposed configuration and credentials, attackers might be able to execute arbitrary code on the server.

Mitigation and Patch Steps

Unfortunately, the information about official patches or mitigations from ReQuest is limited. However, the following steps are recommended to address this vulnerability:

1. Contact ReQuest Support: Immediately contact ReQuest support to inquire about available patches or workarounds. Visit their official website (see References) for contact information.
2. Network Segmentation: Isolate the F3 Media Server on a segmented network to limit the potential impact of a breach.
3. Access Control Lists (ACLs): Implement strict ACLs to restrict access to the message_log page. Require authentication for accessing this page. While this may not fully address the vulnerability, it provides a layer of defense.
4. Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests targeting the vulnerable page.
5. Monitor System Logs: Carefully monitor system logs for any suspicious activity related to access attempts on the message_log page.
6. If possible, disable the debug log.
7. Upgrade: Upgrade to the latest version as soon as a patched version is released by the vendor.

References

• ReQuest Official Website
• Exploit-DB Exploit for CVE-2020-36876
• VulnCheck Advisory for ReQuest Serious Play F3 Media Server Debug Log Disclosure
• Zero Science Advisory ZSL-2020-5600