UPnP Access to Files without our permissions

[quella]

Found something that may be of concern to some here that are security focused. If others can attempt to reproduce it on their systems, we may be able to get this issue corrected in a future release. I'm unsure if this issue is only in this firmware release (v5.1.34) or not.

This morning, after upgrading, I stumbled upon TNOS permitting someone (unauthenticated) access to all files even when they do not have the proper file/folder permissions (authentication/authorization) set on the files or folder. I have a folder configured to deny all users and groups except for one user who stores videos, audio, and photos. If I launch the VLC application on Mac or iOS and select the Universal Plug and Play (UPnP) option from the left menus, I see my NAS listed. When I double-click on the device in VLC, it opens with a directory tree and displays all files for all my users across all volumes. Even with UPnP disabled in the GUI on the NAS itself under Discovery Service, VLC walks all the folders and exposes the files on the NAS regardless of permissions. I was even able to play some videos and open pictures from users who's files should be only accessed by themselves and not others. I will try to test this with other tools on iTV or other UPnP systems/applications to see if this is unique to VLC or others tools as well.

I would be happy to be proven wrong and it is some odd configuration that is enabled causing this. However, I did go back and confirmed my TNAS settings and file/folder permissions and then retested and it continues to work. Thoughts or options to block this as it exposes all files to anyone who wants to launch VLC on my network?

[quella]

So, while doing some more research on the above issues, I believe I found the cause of the feature/bug exposing files via UPnP even when UPnP as a service is disabled on the device.

It seems as long as you have a media index created, UPnP/DLNA clients, such as VLC, can walk the index file and display all the files in the index without requiring the user to have an account. When I rebuilt my media index with a limited set of data in a few folders with various file types, only the files of the type I set to be indexed were displayed in VLC under the UPnP option. Secondly, when I completely removed and disabled media indexing on the NAS, VLC does not see a UPnP server on my network.

I'm not sure it is a best practice to allow anyone without having to first login to see the contents of the index. That to be is to much of a risk that I have to now ensure media indexing is disabled until the issue can be addressed by the vendor.

I'm continuing to test and play, I'll report more if I find anything else.

[TMroy]

Thank you for your report. we will verify and fix the issue.