← Advisories

ReQuest Serious Play F3 Media Server 7.0.3 Remote Denial of Service

Medium
Advisory ID
ZSL-2020-5601
Release Date
18 October 2020
Vendor
ReQuest Serious Play LLC - http://www.request.com
Affected Version
7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, 2.0.1.823
CVE
CVE-2021-4465
Tested On
ReQuest Serious Play® OS v7.0.1, ReQuest Serious Play® OS v6.0.0, Debian GNU/Linux 5.0, Linux 3.2.0-4-686-pae, Linux 2.6.36-request+lenny.5, Apache/2.2.22, Apache/2.2.9, PHP/5.4.45, PHP/5.2.6-1
Summary

F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.

Description

The device can be shutdown or rebooted by an unauthenticated attacker when issuing one HTTP GET request.

Proof of Concept
request_dos.txtTXT
Disclosure Timeline
01.08.2020Vulnerability discovered.
16.08.2020Vendor contacted.
17.10.2020No response from the vendor.
18.10.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/159602/
[2]https://cxsecurity.com/issue/WLB-2020100122
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/190031
[4]https://www.exploit-db.com/exploits/48951
[5]https://www.vulncheck.com/advisories/request-serious-play-f3-media-server-remote-dos
[6]https://www.cve.org/CVERecord?id=CVE-2021-4465
Changelog
18.10.2020Initial release
20.10.2020Added reference [1] and [2]
26.10.2020Added reference [3] and [4]
27.11.2025Added reference [5] and [6]