Sign up to save your podcasts
Or
Share HPR3828: The Oh No! News.
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
HPR3828: The Oh No! News.
The Oh No! news.
Oh No! News is Good
News.
Threat analysis;
your attack surface.
Article: CISA
warns of actively exploited Plex bug after LastPass breach.
Author: Sergiu
Gatlan (2023, Mar 11).
Attackers with "admin access to a Plex Media Server could abuse the
Camera Upload feature to make the server execute malicious code,"
according to an advisory published by the Plex Security Team in May 2020
when it patched the bug with the release of Plex Media Server
1.19.3.
"This could be done by setting the server data directory to overlap
with the content location for a library on which Camera Upload was
enabled. This issue could not be exploited without first gaining access
to the server's Plex account."
Link to Cybersecurity &
Infrastructure Security Agency (CISA).
Supporting Article: Plex
Security, regarding security vulnerability CVE-2020-5741.
Author: PlexSecurity, Plex Employee. (2020,
May).
We have recently been made aware of a security vulnerability related
to Plex Media Server. This issue allowed an attacker with access to the
server administrator’s Plex account to upload a malicious file via the
Camera Upload feature and have the media server execute it.
Supporting Article: Official
statement from Plex, concerning vulnerabilities, on LastPass Data
Breach.
Author: PlexInfo, Plex Employee. (2023, Feb
28).
"We have not been contacted by LastPass so we cannot speak to the
specifics of their incident. We take security issues very seriously, and
frequently work with external parties who report issues big or small
using our guidelines
and bug bounty program. When vulnerabilities are reported following
responsible disclosure we address them swiftly and thoroughly, and we’ve
never had a critical vulnerability published for which there wasn’t
already a patched version released. And when we’ve had incidents of our
own, we’ve always chosen to communicate them quickly. We are not aware
of any unpatched vulnerabilities, and as always, we invite people to
disclose issues to us following the guidelines linked above. Given
recent articles about the LastPass incident, although we are not aware
of any unpatched vulnerabilities, we have reached out to LastPass to be
sure."
Supporting Article: LastPass
says employee’s home computer was hacked and corporate vault taken.
Author: Dan
Goodin. (2023, Feb 27).
According to a person briefed on a private report from LastPass who
spoke on the condition of anonymity, the media software package that was
exploited on the employee’s home computer was Plex. Interestingly, Plex
rep
View all episodes
By Hacker Public Radio
4.2
3434 ratings
The Oh No! news.
Oh No! News is Good
News.
Threat analysis;
your attack surface.
Article: CISA
warns of actively exploited Plex bug after LastPass breach.
Author: Sergiu
Gatlan (2023, Mar 11).
Attackers with "admin access to a Plex Media Server could abuse the
Camera Upload feature to make the server execute malicious code,"
according to an advisory published by the Plex Security Team in May 2020
when it patched the bug with the release of Plex Media Server
1.19.3.
"This could be done by setting the server data directory to overlap
with the content location for a library on which Camera Upload was
enabled. This issue could not be exploited without first gaining access
to the server's Plex account."
Link to Cybersecurity &
Infrastructure Security Agency (CISA).
Supporting Article: Plex
Security, regarding security vulnerability CVE-2020-5741.
Author: PlexSecurity, Plex Employee. (2020,
May).
We have recently been made aware of a security vulnerability related
to Plex Media Server. This issue allowed an attacker with access to the
server administrator’s Plex account to upload a malicious file via the
Camera Upload feature and have the media server execute it.
Supporting Article: Official
statement from Plex, concerning vulnerabilities, on LastPass Data
Breach.
Author: PlexInfo, Plex Employee. (2023, Feb
28).
"We have not been contacted by LastPass so we cannot speak to the
specifics of their incident. We take security issues very seriously, and
frequently work with external parties who report issues big or small
using our guidelines
and bug bounty program. When vulnerabilities are reported following
responsible disclosure we address them swiftly and thoroughly, and we’ve
never had a critical vulnerability published for which there wasn’t
already a patched version released. And when we’ve had incidents of our
own, we’ve always chosen to communicate them quickly. We are not aware
of any unpatched vulnerabilities, and as always, we invite people to
disclose issues to us following the guidelines linked above. Given
recent articles about the LastPass incident, although we are not aware
of any unpatched vulnerabilities, we have reached out to LastPass to be
sure."
Supporting Article: LastPass
says employee’s home computer was hacked and corporate vault taken.
Author: Dan
Goodin. (2023, Feb 27).
According to a person briefed on a private report from LastPass who
spoke on the condition of anonymity, the media software package that was
exploited on the employee’s home computer was Plex. Interestingly, Plex
rep
More shows like Hacker Public Radio
View all
The Changelog: Software Development, Open Source
290 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
372 Listeners
LINUX Unplugged
268 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
652 Listeners
Curious Cases
825 Listeners
The Strong Towns Podcast
422 Listeners
Late Night Linux
164 Listeners
Darknet Diaries
8,052 Listeners
Cybersecurity Today
181 Listeners
CISO Series Podcast
189 Listeners
TechCrunch Daily Crunch
42 Listeners
Strict Scrutiny
5,811 Listeners
2.5 Admins
98 Listeners
Cyber Security Headlines
140 Listeners
What the Hack?
228 Listeners