The huge breach at LastPass was the results of certainly one of its engineers failing to replace Plex on their dwelling laptop, in what’s a sobering reminder of the hazards of failing to maintain software program up-to-date.
The embattled password administration service final week revealed how unidentified actors leveraged info stolen from an earlier incident that befell previous to August 12, 2022, together with particulars “accessible from a third-party information breach and a vulnerability in a third-party media software program package deal to launch a coordinated second assault” between August and October 2022.
The intrusion finally enabled the adversary to steal partially encrypted password vault information and buyer info.
The second assault particularly singled out one of many 4 DevOps engineers, focusing on their dwelling laptop with a keylogger malware to acquire the credentials and breach the cloud storage surroundings.
This, in flip, is claimed to have been made doable by exploiting a virtually three-year-old now-patched flaw in Plex to attain code execution on the engineer’s laptop, the streaming media service advised The Hacker Information in a press release.
The vulnerability in query is CVE-2020-5741 (CVSS rating: 7.2), a deserialization flaw impacting Plex Media Server on Home windows that enables a distant, authenticated attacker to execute arbitrary Python code within the context of the present working system consumer.
“This concern allowed an attacker with entry to the server administrator’s Plex account to add a malicious file through the Digital camera Add function and have the media server execute it,” Plex stated in an advisory launched on the time.
Uncover the Newest Malware Evasion Ways and Prevention Methods
Able to bust the 9 most harmful myths about file-based assaults? Be part of our upcoming webinar and grow to be a hero within the combat in opposition to affected person zero infections and zero-day safety occasions!
The difficulty, which was found and reported to Plex by Tenable in March 2020, was addressed by Plex in model 126.96.36.19964 launched on Might 7, 2020. The present model of Plex is 188.8.131.5233.
“Sadly, the LastPass worker by no means upgraded their software program to activate the patch,” Plex stated in a press release. “For reference, the model that addressed this exploit was roughly 75 variations in the past.”