ReQuest Serious Play F3 Media Server 7.0.3 Remote Denial of Service

Title: ReQuest Serious Play F3 Media Server 7.0.3 Remote Denial of Service
Advisory ID: ZSL-2020-5601
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 18.10.2020
Summary
F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease.
Description
The device can be shutdown or rebooted by an unauthenticated attacker when issuing one HTTP GET request.
Vendor
ReQuest Serious Play LLC - http://www.request.com
Affected Version
7.0.3.4968 (Pro)
7.0.2.4954
6.5.2.4954
6.4.2.4681
6.3.2.4203
2.0.1.823
Tested On
ReQuest Serious Play® OS v7.0.1
ReQuest Serious Play® OS v6.0.0
Debian GNU/Linux 5.0
Linux 3.2.0-4-686-pae
Linux 2.6.36-request+lenny.5
Apache/2.2.22
Apache/2.2.9
PHP/5.4.45
PHP/5.2.6-1
Vendor Status
[01.08.2020] Vulnerability discovered.
[16.08.2020] Vendor contacted.
[17.10.2020] No response from the vendor.
[18.10.2020] Public security advisory released.
PoC
request_dos.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/159602/
[2] https://cxsecurity.com/issue/WLB-2020100122
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/190031
[4] https://www.exploit-db.com/exploits/48951
Changelog
[18.10.2020] - Initial release
[20.10.2020] - Added reference [1] and [2]
[26.10.2020] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk