Does 1.31.1.6733-bc0674160 Fix the Remote Code execution vulnerability that Lastpass's Developer saw

Plex Media Server
1

Server Version#: 1.31.1.6733-bc0674160
Player Version#:

2

The story I saw implied Plex was responsible, saying that the LastPass developer also used it. If you have a link with more details, please share it. Iā€™m not ready to crucify Plex yet.

3

This is all Iā€™m seeing:

Not sure where Plex is involved here but forwarded to security team.

4

I think at this point itā€™s assumed he was hacked via his Plex server but there arenā€™t many details:

5
6

Nothing shown to support that.

Please be very careful with assertions and assumptions. ā€œASSUMEā€ is dangerous.

Makes an ASS of U and ME :slight_smile:

From ā€œHome Computerā€ to ā€œPlex Serverā€ is a bigger leap than I would take at this point.

7

This is where I first saw plex mentioned by name, but Iā€™m not sleuthing this storyā€¦

I tried to point out buffer overflows in the past, and was not responded to.

8

I remember this.

Interestingly, ArsTechnica heard from sources that the engineerā€™s computer was hacked through a vulnerability found in the Plex media platform. Twelve days after the LastPass attack, Plex confirmed that it had also suffered an attack that resulted in 15 million usersā€™ passwords being stolen.

If you all remember correctly, thatā€™s when operations

  1. Made operations changes in the code and secured the vulnerability
  2. Invalidated EVERYONEā€™s passwords
  3. Made us all reclaim our servers again
  4. Log in all our devices again

Is Plex the attack vector or another victim?

Letā€™s please be objective and not emotionally reactive.

9

As mentioned in the duplicate thread on this topic though, the question is, is this a new event or the old one ?

I agree that this type of ā€˜newsā€™ item (quoted below) needs to be approached with a high degree of scepticism especially as the source asked to be kept anonymous.

ArsTechnica heard from sources that the engineerā€™s computer was hacked through a vulnerability found in the Plex media platform.

10

Well, then how about an official response then about my email sent to security@plex.tv on 1/29/2022 about buffer overflows.

Might have less fuel for the boat if you can higher a well qualified security team.

12
13

Were you responding to me? So, you didnā€™t get my email sent to security@plex.tv, or you were unable to send me mail? what? I donā€™t know if youā€™re comment on my thread hijacking @BigWheel , orā€¦ People can have more then one email address, right?

14

I have nothing to do with the security email box. I am only giving everyone in this topic a link to the information we have about the LP thing.

15

Can I pm you a message ID from my mail and you can contact security on my behalf for a response on why I was never contacted in my four mails to your company?

16

I canā€™t do anything about speeding up a response from them. I imagine they likely have received hundreds of emails about it and might just be taking a while to respond.

17

Date: Sat, 29 Jan 2022

Thats when I sent in my ignored bug bounty

18

You are welcome to message me but I make no promises I will be able to facilitate speeding up a response

19

a response from more then a year ago? ping @elan

20

@Gloppie I pinged some folks who said they would look into it.

21

Iā€™ve still not received a response.