Comment on LastPass Breach: Scott Caveza, Senior Research Manager, Tenable
“The massive breach at LastPass is a prime example of how known vulnerabilities can have a cataclysmic impact on security. The root cause of the LastPass data breach was a home computer running an out of date version of Plex, which contained a vulnerability Tenable discovered and reported, and Plex patched in May 2020. The LastPass breach should have been completely avoidable.
The vulnerability, CVE-2020-5741, is a deserialisation flaw that can be exploited by an authenticated attacker in order to execute arbitrary code with the same privileges as the media server.
The 2022 Tenable Threat Landscape Report, published last week, reinforces this sobering reminder that known vulnerabilities are more dangerous and disruptive to security than zero days. We’ve seen time and time again cybercriminals and nation states routinely exploit known vulnerabilities with available patches to gain initial access into organisations and to elevate privileges once inside. Discovering and remediating the known and exploited vulnerabilities that represent the greatest risk to an organisation continues to be the most impactful way to limit risk.” — Scott Caveza, Senior Research Manager, Tenable.