View Single Post
  #1  
Old 01-19-2020, 05:55 PM
Darryl Ramm Darryl Ramm is offline
Member
 
Join Date: Nov 2010
Location: USA
Posts: 13,633
Default Plugin directory security weakness - check your plugin directory permissions

Is your Pro Tools plugin directory writable by anybody? You might want to fix that....

---

I wanted to make other users aware that some Pro Tools for Mac installs prior to 2019.12 seem to have effectively no file security to protect plugins from possible malicious abuse. That was a concerning security issue for me. I noticed this on earlier 2019 release, it may have been around for years, I have no idea.

This was a surprise to me when I noticed, I let Avid know several months ago and they addressed this in 2019.12. Unfortunately I don't see any mention of this in the release notes or any warning about this to users of older versions of Pro Tools. Hence this post...

You probably don't ever want an untrusted plugin installed by somebody else into Pro Tools and possibly doing whatever it wants. It might be able to do potentially anything, ... maybe exfiltrate you or your clients assets, launch a content encryption/ransomware attack, or mess with you in other ways etc. ... thats' just a nightmare fantasy list, I have no proof of exploit or any idea if there is an exploit using this weakness.

Good security relies on multiple layers of defense here, including say network security, perimeter protection on the computer, code signing for plugins, and basic UNIX security file permissions once inside the computer that would prevent malicious actors say being able to trivially install new plugins.

My specific concert is a failure in that later point, that the Pro Tools Installer used to create the plugin /Library/Application Support/Avid/Audio/Plug-Ins writable by all.

If you run the 2019.12 installer with a previous version installed it will remove the write permission for "all" on the Plug-Ins and Plug-Ins (Unused) directories. This is what you will see:

# After Pro Tools 2019.6 Install...
$ ls -ld /Library/Application\ Support/Avid/Audio/*
drwxrwxrwx 7 root admin 224 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins
drwxrwxrwx 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused)

-- the last "w" on the permissions for each directory there is the problem.

# After Pro Tools 2019.12 Install...
$ ls -ld /Library/Application\ Support/Avid/Audio/*
drwxrwxr-x 7 root admin 224 Jan 19 15:23 /Library/Application Support/Avid/Audio/Plug-Ins
drwxrwxr-x 2 root admin 64 Jan 19 14:51 /Library/Application Support/Avid/Audio/Plug-Ins (Unused)

You can fix this write all permission issues on the Plugin folder with the following

$ cd /Library/Application\ Support/Avid/Audio
$ sudo chmod a-w *

To be clear I have absolutely no indication of an actual exploit here. An exploit is unlikely to be simple, would likely need access to plugin SDKs, pretty deep knowledge of stuff, and PACE signing of the plugin (or bypassing that). But again good security is build in-layers and in-depth, and this is just such a glaring silly thing it needs to be fixed.

---

Surprisingly the changes in 2019.12 Avid still leaves the higher level /Library/Application Support/Avid directory writable by all, its less of an issue that leaving the Plug-Ins directory writable by all. It's also intersting to me that the /Library/Application Support/PACE Anti-Security/ directory also gets installed writable by all. I am just at a loss why this sloppiness exists.

I suggest folks check permissions on their Plugin directories, plugin files and other directories and files like /Library/Application Support/Avid and remove write permission to all there as well). If this causes later installer errors etc. too bad.

If you are in a large studio/corporate environment with a strict security requirements you may want to discuss how to deal with this with your IT security staff.

I have not looked at Windows installs to know if there are any issues there, or other products like Media Composer. (Edit: I do below, it's been broken at least in the past as well).

Last edited by Darryl Ramm; 01-20-2020 at 01:03 AM.
Reply With Quote