Headline
CVE-2023-34237: SABnzbd - Wiki - General
SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from localhost
, with no authentication required for the web interface. This issue has been patched in commits e3a722
and 422b4f
which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and password have been set if their instance is web accessible.
Web server
SABnzbd Host
The hostname that will be used to access SABnzbd.
- 127.0.0.1 or [::1] or localhost (default) = Access from this computer only
- empty = Finds and listens on your local (IPv4) IP address. Used for accessing from other computers. localhost will not work anymore so update your bookmarks.
- 0.0.0.0 = Listens on multiple interfaces (both local IP and localhost).
- :: = Listen on both IPv4 and IPv6 addresses for local and network access.
For more information and option to overwrite this setting at startup see Command Line Parameters
SABnzbd Port
The internal webserver needs a port to listen on. The default port is 8080. Try another one if this address is already occupied by another program on your computer.
NOTE macOS and Linux users: ports below 1025 may require SABnzbd launched as root.
Web Interface
Advanced
SABnzbd comes with a few different skins (web interface styles). Pick one here and click on save. For the skin to become active, you have to shutdown SABnzbd and restart it again. Some skins support multiple color schemas.
Language
The program supports more languages.
NOTE Help us translate SABnzbd in your language: add untranslated texts or improved existing translations.
Enable HTTPS
Enable the webserver to use HTTPS.
For more information, see: HTTPS.
NOTE Modern web browsers and other clients will not accept self-signed certificates and will give a warning and/or won’t connect at all.
HTTPS Port
Advanced
Port to be used for listening. Must be different from the normal HTTP port. If empty, the SABnzbd Port set above will only listen to HTTPS (this is the default setting).
HTTPS Certificate
HTTPS Key
HTTPS Chain Certificates
Advanced
Files containing the HTTPS certificate, key and (optionally) chain Certificates.
Security
SABnzbd Username
SABnzbd Password
You may want to limit access to the web interface to people knowing a username and password for the interface.
External internet access
Set the access level for connections from outside the local network.
By default, all IP addresses in a private network range, such as 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 and fd00::/8 are considered local. To define custom local network ranges, use the Special local_ranges setting.
- API:
- No access = No outside access is allowed at all.
- Add NZB files = Only NZB’s can be added via the API, nothing else.
- API (no config) = API is fully available (queue/history/add+remove NZB’s/etc), except for methods that get or edit the configuration.
- Full API = All API methods are available, including editing the configuration.
- Full API & Web Interface:
- Full Web Interface = The full API methods and the web interface are available. Users are always shown the login screen if username/password are set.
- Full Web interface - Only external access requires login = Only users outside the local network ranges are shown the login screen if username and password are set.
API Key
This is the secret key that is needed in API calls.
NOTE When you click the Change button, you’ll need to tell your utilities the new key.
NZB Key
This is similar to the API Key, but only allows external applications to add NZB’s.
NOTE After adding NZB’s, external applications do not have access to the queue to monitor the progress of the download.
NOTE When you click the Change button, you’ll need to tell your utilities the new key.
Switches
Launch browser on startup
Enable to auto-launch of the browser when SABnzbd is started.
Check for new release
If enabled, SABnzbd will check once a week whether a new release has been published.
HTTPS certificate verification
Advanced
Verify certificates when connecting to indexers and RSS-sources using HTTPS. Some websites do not have proper certificates and some systems might not be configured correctly.
SOCKS5 Proxy
Advanced
Connection information is entered as a URL, ie:
- socks5://username:[email protected]:port or
- socks5://hostname:port (no login)
NOTE The connection between the client and the server will use SSL if enabled. However, the connection between the proxy and the client will not. This means that the data transferred between the client and the server is hidden for anyone including the proxy, but the username and password for the proxy and the server address are unencrypted.
Tuning
Maximum line speed
Set how fast your internet connection is, in bytes/sec.
NOTE If you have an ISP-speed of 10Mbit/sec, you should enter 1MB/s here.
Percentage of line speed
Advanced
Which percentage of the line speed should SABnzbd use, e.g. 50. This value is used as the default value when SABnzbd starts.
Setting a value of 0 disables any limit.
Article Cache Limit
Advanced
How much memory (RAM) can be used for caching (reducing disk access). This value is set automatically when SABnzbd is started for the first time to 25% of the system’s memory or 2G if you have more than 8GB of memory.
You enter the amount in bytes but you can use factors like K, M, G etc. eg: 70M = 70 MB cache.
- number = Maximum memory (in bytes)
- 0 = Disable Cache
- -1 = Unlimited, up to maximum for your system (1 or 4GB).
See High speed downloading for more information.
Article Cache is limited to 1G on 32bit systems and 4G on 64bit systems.
Backup
Create backup
Create a backup of the configuration file and databases in the Backup Folder. If the Backup Folder is not set, the backup will be created in the Completed Download Folder.
You can also schedule a recurring backup in Scheduling.
WARNING The backup contains all sensitive information like your passwords and API keys!
NOTE The backup can only be created in this folder to prevent an attacker easy access to all your passwords and API-keys if they somehow manage to enter the configuration.
Restore backup
Restore a backup of the configuration file and databases.
Related news
Gentoo Linux Security Advisory 202312-11 - A vulnerability has been found in SABnzbd which allows for remote code execution. Versions greater than or equal to 4.0.2 are affected.