LastPass Hack in trouble after failure to upgrade flex software
A sobering reminder of the risks of not keeping software updated led to the significant breach at LastPass because one of its employees neglected to update Plex on their own computer.
Last week, the troubled password management service disclosed how unknown actors used information obtained from an earlier incident that occurred before August 12, 2022, as well as information “available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack” between August and October 2022.
The intrusion finally allowed the adversary to collect client data and partially encrypted password vault data.
The second attempt targeted one of the four DevOps engineers individually, infecting their home computer with keylogger malware in order to steal their login information and access the cloud storage environment.
The streaming video service Plex stated that this, in turn, is said to have been made possible by exploiting a nearly three-year-old now-patched hole in Plex to get code execution on the engineer’s machine.
CVE-2020-5741, a deserialization weakness affecting Plex Media Server on Windows, has a CVSS score of 7.2 and enables remote, authenticated attackers to execute arbitrary Python code in the context of the currently logged-in operating system user.
In a then-released alert, Plex stated: “This problem allowed an attacker with access to the server administrator’s Plex account to submit a malicious file using the Camera Upload function and have the media server execute it.
Version 126.96.36.19964 of Plex, which was released on May 7, 2020, fixes the flaw, which Tenable found and reported to Plex in March 2020. Plex Media Server is currently at version 188.8.131.5233.
Plex stated in a statement, “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For comparison, the version that fixed this issue was released over 75 releases ago.
Author: Pranali Dhamale