CVE-2020-36877: Critical Unauthenticated RCE Vulnerability in ReQuest Serious Play F3 Media Server

Overview

CVE-2020-36877 is a critical security vulnerability affecting ReQuest Serious Play F3 Media Server version 7.0.3. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. The root cause is the ability to upload PHP executable files through the “Quick File Uploader” page, bypassing any authentication mechanisms. This effectively grants attackers complete control over the affected system.

Technical Details

The vulnerability resides in the “Quick File Uploader” functionality of the ReQuest Serious Play F3 Media Server. Due to inadequate input validation and lack of authentication, an attacker can directly upload a PHP file containing malicious code. Once the file is uploaded to a publicly accessible directory, the attacker can trigger its execution by simply accessing the file via a web browser. This results in the PHP code being executed with the privileges of the web server user, which often has significant access to the system. The absence of proper authentication on this upload page is the primary factor enabling this remote code execution.

CVSS Analysis

Unfortunately, the CVSS score and severity level for CVE-2020-36877 are not explicitly provided in the initial data. However, given the description of an unauthenticated remote code execution (RCE) vulnerability, it is highly probable that the CVSS score would be in the critical range (9.0-10.0). A critical CVSS score reflects the high potential for significant impact and ease of exploitation.

Possible Impact

The impact of CVE-2020-36877 is severe. Successful exploitation allows attackers to:

• Gain complete control over the affected server.
• Steal sensitive data stored on the server, including user credentials, financial information, and proprietary data.
• Install malware, such as ransomware, to further compromise the system and network.
• Use the compromised server as a staging ground for attacks against other systems on the network or the internet.
• Deface the website hosted on the server.
• Disrupt services and operations.

Mitigation or Patch Steps

To mitigate the risk posed by CVE-2020-36877, the following steps should be taken:

1. Apply the Patch: Check the ReQuest website for a security patch or update for the F3 Media Server. Applying the official patch is the most effective way to address this vulnerability.
2. Disable the Quick File Uploader: If a patch is not immediately available, consider disabling the “Quick File Uploader” feature as a temporary workaround. This will prevent attackers from exploiting the vulnerability until a permanent fix can be implemented.
3. Implement Strong Authentication: If disabling the uploader is not feasible, implement strong authentication on the “Quick File Uploader” page. Ensure that only authorized users can access and use this feature.
4. Input Validation: Implement robust input validation to prevent the upload of executable files, such as PHP files. Whitelist allowed file types and enforce strict filename restrictions.
5. Web Application Firewall (WAF): Deploy a web application firewall (WAF) to detect and block malicious requests targeting the “Quick File Uploader” page.
6. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in your systems.