UPnP Access to Files without our permissions
Posted: 11 May 2023, 20:51
Found something that may be of concern to some here that are security focused. If others can attempt to reproduce it on their systems, we may be able to get this issue corrected in a future release. I'm unsure if this issue is only in this firmware release (v5.1.34) or not.
This morning, after upgrading, I stumbled upon TNOS permitting someone (unauthenticated) access to all files even when they do not have the proper file/folder permissions (authentication/authorization) set on the files or folder. I have a folder configured to deny all users and groups except for one user who stores videos, audio, and photos. If I launch the VLC application on Mac or iOS and select the Universal Plug and Play (UPnP) option from the left menus, I see my NAS listed. When I double-click on the device in VLC, it opens with a directory tree and displays all files for all my users across all volumes. Even with UPnP disabled in the GUI on the NAS itself under Discovery Service, VLC walks all the folders and exposes the files on the NAS regardless of permissions. I was even able to play some videos and open pictures from users who's files should be only accessed by themselves and not others. I will try to test this with other tools on iTV or other UPnP systems/applications to see if this is unique to VLC or others tools as well.
I would be happy to be proven wrong and it is some odd configuration that is enabled causing this. However, I did go back and confirmed my TNAS settings and file/folder permissions and then retested and it continues to work. Thoughts or options to block this as it exposes all files to anyone who wants to launch VLC on my network?
This morning, after upgrading, I stumbled upon TNOS permitting someone (unauthenticated) access to all files even when they do not have the proper file/folder permissions (authentication/authorization) set on the files or folder. I have a folder configured to deny all users and groups except for one user who stores videos, audio, and photos. If I launch the VLC application on Mac or iOS and select the Universal Plug and Play (UPnP) option from the left menus, I see my NAS listed. When I double-click on the device in VLC, it opens with a directory tree and displays all files for all my users across all volumes. Even with UPnP disabled in the GUI on the NAS itself under Discovery Service, VLC walks all the folders and exposes the files on the NAS regardless of permissions. I was even able to play some videos and open pictures from users who's files should be only accessed by themselves and not others. I will try to test this with other tools on iTV or other UPnP systems/applications to see if this is unique to VLC or others tools as well.
I would be happy to be proven wrong and it is some odd configuration that is enabled causing this. However, I did go back and confirmed my TNAS settings and file/folder permissions and then retested and it continues to work. Thoughts or options to block this as it exposes all files to anyone who wants to launch VLC on my network?