CISA, the cybersecurity and infrastructure agency, has included a severe remote code execution (RCE) vulnerability in the Plex Media Server, which is nearly three years old, in its list of security vulnerabilities used in targeted attacks. The flaw, identified as CVE-2020-5741, enables cybercriminals with administrator rights to execute arbitrary Python code remotely, using low-complexity attacks that do not require any user interaction.
An attacker with “admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the Plex Security team stated in an advisory published in May 2020 when the exploit was patched with Plex Media Server 1.19.3.
“This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. This issue could not be exploited without first gaining access to the server’s Plex account.”
CISA has not provided any details regarding the attacks that involved CVE-2020-5741, but it is believed that this may be linked to a recent disclosure by LastPass. This disclosure revealed that a senior DevOps engineer’s computer was hacked last year to install a keylogger by exploiting a third-party media software RCE vulnerability.
The attackers managed to access the engineer’s credentials and LastPass corporate vault, resulting in a significant data breach in August 2022. The threat actors were able to exfiltrate LastPass production backups and critical database backups, which caused widespread damage.
LastPass was hacked due to this Plex RCE exploit
Although LastPass did not specify which software flaw was used to gain access to the engineer’s computer, Ars Technica reported that the vulnerable software package was Plex. Interestingly, in August, Plex informed its customers about a data breach and asked them to reset their passwords, after LastPass announced its own data breach.
In addition to the Plex vulnerability, on Friday, CISA added another vulnerability, tracked as CVE-2021-39144, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability is considered to be of critical severity and has been exploited since early December in VMware’s Cloud Foundation.
In November 2021, a binding operational directive (BOD 22-01) was issued, which requires all federal agencies in the US to secure their systems against attacks until March 31st, in order to prevent potential network attacks that exploit these two vulnerabilities.
Although BOD 22-01 only applies to federal agencies, CISA strongly recommends that all organizations patch these vulnerabilities to protect themselves against ongoing attacks.