From TFA:
According to LastPass, the hacker planted keylogging malware on the home computer, enabling them “to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
This wasn’t a work device. It was a personal device that was allowed to connect to critical corporate resources, which is a security failure on both the employee’s and the company’s part
A personal device used for work - it is a work device. Semantics.
Edit - oh and my personal laptop is classified as a work device by ATO (it connects to my employers network). Also, what is the vector in all this (rhetorical).
This all just proves that nobody really knows what they’re doing. Some people just guess better than others.
It’s definitely not semantics when your private device isn’t controlled by Group Policy. Any standard corporate software installation policy is going to block the installation of software like Plex Media Server on their devices. I cannot access secure corporate resources without a corporate maintained device(I can’t join computers to the domain nor do I have the proper keys/certs to connect to the VPN), and password vaults would definitely quality as a secure corporate resource. A work device and a “work” device are very different classifications with those kinds of limitations in mind.
And, again, this is a failure of both the individual and the company. DevOps engineers should (do) know better, and a company that falls under IT Security should definitely know better, particularly in a world where security breaches and ransomware attacks are committed on the regular by state and state-backed actors.
I don’t disagree and said exactly this quite a few times in this thread.
You missed the point about semantics however. What is interesting is that you then argue that the device should have been treated as a work device (which effectively it is, used for work).
As soon as the device is used for work, it becomes a work device for that usage. We agree that the employee/contractor and company failed in this, putting aside the vector.
This is separate from a company supplied device (assuming that company does indeed have appropriate security policies in effect (which, with LP is suspect).
So this isn’t “confirmed” at all. This is one of those poorly written articles where they draw the conclusion that they want and just might be reality. Nobody really comes out and says exact versions or any other strong details.
It’s one of those “well the only version we know of with an exploit is from 2020 and until told otherwise that’s the most we know” then you combine that with LastPass tiptoeing around not coming straight out and saying Plex but someone off the record said so. They don’t want to look like they are passing the buck and they want to look like they are being very open at the same time.
I 100% believe that it was Plex but I don’t know if I believe someone working in this capacity has never accidentally updated for 3 years. I’m not sure I believe that any of their infrastructure is that old. I have the same physical server but as you can imagine all kinds of random changes every where.
You can always search the Mitre CVE list for keyword Plex.
CVE - Search Results (mitre.org)
Nothing new is listed since an RCE vulnerability affecting Plex Media Server through 1.24.4.5081.
It is confirmed silly willy
CVE-2020-5741
DevOps bro was running an old version. Dude should be thrown into jail or sued.
Yes, I saw he was running an old version with the vulnerability. I posted the link for people to use going forward for future vulnerabilities.
Lesson of the day… patch your sh**
No it’s confirmed that this RCE is the one that we currently know about and the only one PUBLICLY out there. There isn’t a single thing in that article with a source on record from either side.
The article is “someone from LP said off record that it was Plex” and then later on “Plex says they don’t know any new ones just the one from 2020”. None of that is confirmation at all just written to sound like it’s a done deal.
Once again I 100% believe that there was an RCE in Plex but I don’t know if it was the one 3 years ago or a new one as of yet announced.
So is it’s basically confirmed at this point it was because he was a total idiot and didn’t patch anything on top of being an idiot with security (the highest irony possible by working at a security software company)
I can see why you’d be skeptical, but I don’t think this isn’t just weasel-wording. The language in the PCMag article is explicit; if this was a new RCE, then either the PCMag writer or the anonymous Plex spokesperson they spoke to is lying or being extremely and deliberately misleading. To quote the article:
According to Plex, the vulnerability is nearly three years old and was patched long ago.
Plex told PCMag the vulnerability is CVE-2020-574, which the company publicly disclosed to users in May 2020.
But to rest our concerns fully it would be nice if a Plex employee would confirm here or in some announcement that this was the old, now-resolved RCE, as so far it’s only an unnamed spokesperson who has said they know for sure this is the old RCE.
Bump for an official response from Plex
This is why i run plex on a dedicated linux server with SELinux enabled. One would hope that SELinux would prevent a keylogger from working via the plex user. Glad to hear this is likely an old exploit though.
So an exploit that was patched three years ago is PLEX’s fault? What does PLEX have to comment on? They fixed this already. If you run out of date server software, that’s on you.
What we’re looking for is a clear confirmation or official statement that it was in fact the exploit from three years ago, as they haven’t really delivered that confirmation. I’d like to believe the vague, no-quote comment in the PCMag article above, but the lack of any confirmation from an employee in any other way or in any other forum makes me kinda skeptical.
Of course, the generous interpretation is that they’re “pretty confident” it’s that same exploit but just don’t have a way to get to 99.9% confirmation it was, so they’re sticking with the vague comment. Up to the individual whether or not that’s enough to treat it as a non-issue.
Will this do?
This …
So, in the absence of Plex confirming anything, users rely on Google …
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
