A critical remote execution flaw was found in a popular Ukrainian TV streaming middleware platform, which when exploited allows the attackers to bypass authentication and extract the user’s database, including their financial details. The attackers could also get control of the streaming service and stream any content on display.
According to the researchers at Check Point, the vulnerability resides in the administrative panel of Ministra TV platform which was earlier known as Stalker Portal. It is a software written in PHP that works as a middleware platform for media streaming services for managing Internet Protocol television (IPTV), video-on-demand (VOD) and over-the-top (OTT) content, licenses and their subscribers.
The Ministra software was developed by Ukrainian company, Infomir and is currently being used by over a thousand online media streaming services.
The researchers published in a blog post that Ministra is used to manage set-top boxes (STBs) and it acts as a conduit between consumer STBs and television service providers which buy into the platform.
Ministra needs authentication to access but due to the security vulnerability this protection was removed. This allows a remote attacker to bypass authentication and perform SQL injection through a separate vulnerability.
It is difficult to estimate the total impact of the security flaw, but since more than 1000 content providers and resellers are connected to Ministra, it is believed that a large number of customers worldwide will be affected.
To get the television broadcast, the STB connects to the Ministra and service providers use the Ministra platform to manage their clients. The risk is that the whole customer database of personal information and financial details could be stolen and also allows the attacker to stream any content they choose on to the screens of their customer network.
The vulnerability which was first discovered in 2018 was patched before public disclosure in Ministra version 5.4.1. All the vendors are highly recommended to update their system to the latest version at the earliest.