The US Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities affecting Plex and VMware products to its Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2020-5741, the first is a high severity flaw in Plex Media Server that is described as a deserialization issue that can be exploited to execute arbitrary Python code, remotely.
“This issue allowed an attacker with access to the Plex server administrator account to upload a malicious file via the Camera Upload feature and have it executed by the media server,” Plex noted in a May 2020 advisory.
Addressed with the release of Plex Media Server 1.19.3, the vulnerability requires the attacker to have administrator access to the Plex Media Server for successful exploitation, making it unlikely to be the target of attacks.
However, Plex in August 2022 revealed a data breach that likely affected more than 15 million customers and resulted in stolen usernames, emails, and passwords.
This basically opened the door for exploiting unpatched Plex Media Server instances that were still affected by CVE-2020-5741.
While CISA added the vulnerability to the KEV list without sharing details about the exploit in the wild, media reports recently suggested that last year’s LastPass data breach that led to the theft of data from the user vault could be related to a Plex exploited bug to hack a DevOps engineer’s computer.
Plex provided the following statement to Safety week:
“We take security issues very seriously and often work with external parties that report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported after responsible disclosure, we address them quickly and thoroughly, and we’ve never released a critical vulnerability for which a patched version hasn’t been released. And when we have had our own incidents, we have always chosen to report them quickly. We are not aware of any unpatched vulnerabilities and, as always, we encourage people to report issues to us by following the guidelines linked above.
We learned from LastPass that the vulnerability that was exploited is detailed here: https://forums.plex.tv/t/security-respect-cve-2020-5741/586819, which Plex publicly revealed in May 2020 (a good 2.5 years before the LastPass event). At that time, as stated in that post, an updated version of Plex Media Server was made available to everyone (May 7, 2020). Unfortunately, the LastPass employee never updated his software to activate the patch. For reference, the version that this exploit addressed was approximately 75 versions ago. Plex will provide notifications via the admin UI about available updates, and in many cases will also perform automatic updates.”
The second vulnerability that CISA added to its KEV list last week is CVE-2021-39144, a remote code execution issue in XStream, which has recently been exploited in malicious attacks targeting VMware products. VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V) are affected.
“This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation,” CISA notes.
Under Binding Operational Directive (BOD) 22-01, federal agencies must address these vulnerabilities by March 31. However, all organizations are encouraged to review the catalog and apply patches where necessary.
Related: Dozens of Exploited Vulnerabilities Missing from CISA’s “Must Patch” List
Related: 557 CVEs added to CISA’s catalog of known exploited vulnerabilities in 2022
Related: Exploited Web Control Panel Flaw Added to CISA’s ‘Must Patch’ List
