Engineer’s Failure to Update Plex Software Led to Massive Data Breach

March 7, 2023Rabbi LakshmananPassword Security / Software Update

A major LastPass breach was caused by one of our engineers failing to update Plex on his home computer, making us realize the dangers of failing to keep software up to date.

The troubled password management service last week revealed how an unidentified attacker used information stolen from previous incidents that occurred prior to August 12, 2022, claiming that it was a “third-party details available from data breaches and vulnerabilities in third-party media software.” A package to launch a second coordinated attack between August and October 2022.”

This intrusion ultimately allowed the attacker to steal partially encrypted password vault data and customer information.

In the second attack, one of the four DevOps engineers was identified to use keylogger malware to target home computers and obtain credentials to compromise cloud storage environments.

This was allegedly made possible by exploiting a nearly three-year-old, now-patched flaw in Plex to run code on the engineers’ computers.

The vulnerability in question is CVE-2020-5741 (CVSS score: 7.2), a deserialization flaw affecting Plex Media Server on Windows that could allow a remote, authenticated attacker to compromise the current operating system user. Allows execution of arbitrary Python code in the context of

“This issue allowed an attacker with access to a server administrator’s Plex account to upload a malicious file via the camera upload feature and force the media server to execute it,” Plex said at the time. stated in the advisory issued.

This issue, discovered by Tenable and reported to Plex in March 2020, was addressed by Plex in version 1.19.3.2764 released May 7, 2020. The current version of Plex is 1.31.1.6733.

“Unfortunately, LastPass employees never upgraded their software to enable the patch,” Plex said in a statement. “For reference, the version that addressed this exploit is about 75 versions ago.”