CVE-2020-11878
📋 TL;DR
This vulnerability allows attackers to gain unauthorized access to Jitsi Meet Docker containers by exploiting default passwords like 'passw0rd' for system accounts. It affects all deployments using the docker-jitsi-meet stack before version stable-4384-1. Attackers could potentially compromise the entire container environment.
💻 Affected Systems
- Jitsi Meet Docker stack (docker-jitsi-meet)
📦 What is this software?
Meet by Jitsi
⚠️ Risk & Real-World Impact
Worst Case
Complete container takeover leading to data exfiltration, lateral movement to other systems, installation of persistent backdoors, and disruption of video conferencing services.
Likely Case
Unauthorized access to container management interfaces, privilege escalation within the container, and potential access to meeting data and credentials.
If Mitigated
Limited impact with proper network segmentation and access controls, though default credentials still pose a significant risk if exposed.
🎯 Exploit Status
Exploitation requires network access to the container management interfaces; default credentials are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: stable-4384-1
Vendor Advisory: https://github.com/jitsi/docker-jitsi-meet/blob/master/CHANGELOG.md#stable-4384-1
Restart Required: Yes
Instructions:
1. Update docker-jitsi-meet to version stable-4384-1 or later. 2. Pull the latest images: docker-compose pull. 3. Restart containers: docker-compose up -d. 4. Change all default passwords in your environment configuration.
🔧 Temporary Workarounds
Change Default Passwords
linuxManually change all default passwords in the .env configuration file before deployment
sed -i 's/passw0rd/your_strong_password/g' .env
sed -i 's/YOUR_SECRET_KEY/your_strong_secret/g' .env
Network Isolation
linuxRestrict network access to container management interfaces using firewall rules
iptables -A INPUT -p tcp --dport 8000 -j DROP
iptables -A INPUT -p tcp --dport 8443 -j DROP
🧯 If You Can't Patch
- Immediately change all default passwords in the .env configuration file and restart containers
- Implement strict network access controls to limit exposure of container management interfaces
🔍 How to Verify
Check if Vulnerable:
Check if .env file contains default passwords like 'passw0rd' or 'YOUR_SECRET_KEY' and verify docker-jitsi-meet version is before stable-4384-1Check Version:
grep -i version docker-compose.yml && docker-compose versionVerify Fix Applied:
Confirm .env file has strong unique passwords and docker-jitsi-meet version is stable-4384-1 or later using docker-compose version check📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful logins with default credentials
- Unusual access patterns to container management interfaces
Network Indicators:
- Unexpected connections to container management ports (8000, 8443)
- Brute force attempts against authentication endpoints
SIEM Query:
source="docker" AND (event="authentication" AND (user="default" OR password="passw0rd")) OR (destination_port IN (8000, 8443) AND NOT source_ip IN (trusted_ips))🔗 References
- https://github.com/jitsi/docker-jitsi-meet/blob/master/CHANGELOG.md#stable-4384-1
- https://github.com/jitsi/docker-jitsi-meet/compare/stable-4384...stable-4384-1
- https://github.com/jitsi/docker-jitsi-meet/blob/master/CHANGELOG.md#stable-4384-1
- https://github.com/jitsi/docker-jitsi-meet/compare/stable-4384...stable-4384-1
