CVE-2022-26505
📋 TL;DR
CVE-2022-26505 is a DNS rebinding vulnerability in ReadyMedia (formerly MiniDLNA) that allows a malicious web server to bypass same-origin policy and exfiltrate media files from the DLNA server. This affects all ReadyMedia/MiniDLNA installations before version 1.3.1 that are accessible to untrusted networks. Attackers can steal media files without authentication by tricking users into visiting malicious websites.
💻 Affected Systems
- ReadyMedia
- MiniDLNA
📦 What is this software?
Readymedia by Readymedia Project
⚠️ Risk & Real-World Impact
Worst Case
Complete exfiltration of all media files from the DLNA server, potentially including sensitive personal media, to attacker-controlled servers.
Likely Case
Targeted exfiltration of specific media files when users visit malicious websites while the DLNA server is accessible.
If Mitigated
Limited impact if server is isolated from untrusted networks or uses proper DNS filtering.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious website) and network access to the DLNA server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.1
Vendor Advisory: https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
Restart Required: Yes
Instructions:
1. Download ReadyMedia 1.3.1 or later from official source. 2. Stop the minidlna service. 3. Install the new version. 4. Restart the service.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to the DLNA server to trusted networks only.
iptables -A INPUT -p tcp --dport 8200 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 8200 -j DROP
Disable Web Interface
linuxDisable the web interface if not needed.
Edit minidlna.conf: set 'port=0' or 'enable_tivo=no'
🧯 If You Can't Patch
- Isolate the DLNA server to a separate VLAN with no internet access
- Implement strict DNS filtering to prevent DNS rebinding attacks
🔍 How to Verify
Check if Vulnerable:
Check if version is below 1.3.1: minidlnad -V | grep VersionCheck Version:
minidlnad -VVerify Fix Applied:
Confirm version is 1.3.1 or higher and test that web interface still functions properly📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to media files from external IPs
- Multiple failed DNS resolution attempts
Network Indicators:
- HTTP requests for media files from domains that resolve to internal IPs
- DNS queries for attacker-controlled domains
SIEM Query:
source="minidlna.log" AND (http_request="GET /" OR http_request="GET /MediaItems/") AND src_ip NOT IN [trusted_networks]🔗 References
- http://www.openwall.com/lists/oss-security/2022/03/06/1
- https://lists.debian.org/debian-lts-announce/2022/04/msg00005.html
- https://security.gentoo.org/glsa/202311-12
- https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
- https://www.openwall.com/lists/oss-security/2022/03/03/1
- http://www.openwall.com/lists/oss-security/2022/03/06/1
- https://lists.debian.org/debian-lts-announce/2022/04/msg00005.html
- https://security.gentoo.org/glsa/202311-12
- https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
- https://www.openwall.com/lists/oss-security/2022/03/03/1
