LastPass Suffers Second Attack After Failing to Update Plex
March 7, 2023
LastPass, a password management software firm, recently disclosed a “second attack” that was caused by the failure to update Plex on the home computer of one of its engineers. The attackers exploited a flaw in a third-party media software package, tracked as CVE-2020-5741 (CVSS score: 7.2), to target the firm. The hackers installed a keylogger on the DevOp engineer’s computer and captured his master password.
According to the advisory published by Plex, “This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.” The incident demonstrates the importance of patch management, as the LastPass employee had never installed security updates provided by the software vendor. As stated by Plex, “This issue could not be exploited without first gaining access to the server’s Plex account. This issue has been assigned CVE-2020-5741 3.”
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Accelerate Security Teams
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.