CISA Adds Plex and XStream Vulnerabilities to KEV List
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: a remote code execution flaw in Plex Media Server and a remote code execution flaw in XStream. Both have remediation due dates of March 31, 2023. Some reports have indicated that the breach of a LastPass engineer’s computer may have been conducted through a Plex vulnerability.
Most organizations will not have Plex, a popular video player, on their radar. But it played an important role in the LastPass breach. A developer's workstation had Plex installed. A vulnerability in Plex was used to compromise the workstation and that workstations was used in the large breach of encrypted LastPass credential files. Software running on developers’ personal systems is often overlooked. Organizations should provide incentives to developers to keep software on personal workstations up to date by reimbursing patching tools or offering assistance in managing the updates.
Along with making sure that installed copies of these products get fixed, riddle me this: should they be installed on work computers? Part of any hardening exercise is removing unnecessary components. If you’re ok with the risk, make sure it is documented.
Read more in
Bleeping Computer: CISA warns of actively exploited Plex bug after LastPass breach
Security Week: CISA Warns of Plex Vulnerability Linked to LastPass Hack