One of LastPass’s engineer neglected to update Plex on their personal computer, which led to the company’s significant breach. Plex claims that the vulnerability is almost three years old and has been fixed for a very long time.
To install malware on the LastPass employee’s home computer, the hacker chose the Plex Media Server software as his target.
Facts of the Massive Data Breach Brought On By Engineers Not Updating the Plex Software
The company officially informed users of the vulnerability, tracked as CVE-2020-5741, (CVSS score: 7.2) in May 2020. A deserialization bug hitting Plex Media Server for Windows allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user.
“We have recently been made aware of a security vulnerability related to Plex Media Server. This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it”, said PlexSecurity.
The report said setting the server data directory to coincide with the content location for a library for which Camera Upload was enabled would do this. Without initially acquiring access to the server’s Plex account, this flaw could not be used.
Tenable discovered and reported the flaw to Plex in March 2020, and Plex addressed it in version 1.19.3.2764 released on May 7, 2020. Plex Media Server’s current version is 1.31.1.6733.
“Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago”, Plex explains.
It’s vital to note that in order to attack the CVE-2020-5741 vulnerability, the hacker had admin access to the employee’s Plex Media Server account. This shows the attacker was already spying on the LastPass employee and may have thought of other ways to install malware on their computer.
The hacker used keylogging malware that was installed on the user’s home computer to “capture the employee’s master password as it was entered, after the employee authenticated with MFA (multi-factor authentication), and gain access to the DevOps engineer’s LastPass corporate vault,” according to LastPass.
Once the hacker gained access, they were able to acquire unencrypted data on customers’ account information, including email addresses and phone numbers, as well as a copy of customers’ encrypted password vaults. Thus, it serves as a stark warning about the consequences of not updating software.
Network Security Checklist – Download Free E-Book