LastPass has reportedly fixed a remote code execution in the password manager that could have allowed for the proxying of internal Remote Procedure Ca
LastPass has reportedly fixed a remote code execution in the password manager that could have allowed for the proxying of internal Remote Procedure Call (RPC) commands.
The issue is one of three vulnerabilities–the other two remain unpatched–discovered in the service during the past week by Google Project Zero researcher Tavis Ormandy.
Ormandy said Tuesday night on Twitter that he uncovered a different bug in LastPass that allows for the theft of passwords for any domain. Little is known about the vulnerability other than it exists in version 4.1.35 and is unpatched.
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud
— Tavis Ormandy (@taviso) March 21, 2017
LastPass, for its part, acknowledged Ormandy’s remote code execution bug early Tuesday morning and said it had put a workaround in place. It said it resolved the bug later yesterday morning and that it was working on a blog post to recap additional details around the vulnerability.
We are aware of the report by @taviso and our team has put a workaround in place while we work on a resolution. Stay tuned for updates.
— LastPass (@LastPass) March 21, 2017
The issue reported by Tavis Ormandy has been resolved. We will provide additional details on our blog soon.
— LastPass (@LastPass) March 21, 2017
The researcher said he discovered the bug, which affects version 4.1.42 of the service on Chrome and Firefox, after noticing an entry in the service’s websiteconnector.js content script that can proxy unauthenticated window messages to the extension.
Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the “Binary Component”, otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
The researcher said that on its own, the bug could allow for the access of internal privileged RPCs, something that could in turn allow “complete control of the LastPass extension, including stealing passwords.” If a user had Binary Component installed, an attacker could use “openattach” to run arbitrary code.
Ormandy warned of another vulnerability–the third for those keeping track–that affects version 3.3.2 of LastPass’ Firefox add-on last Wednesday. Details around the bug aren’t public yet, but Ormandy posted a redacted screenshot of the exploit last week when he tweeted about the vulnerability.
— Tavis Ormandy (@taviso) March 16, 2017
It took a few days but the company confirmed it was aware of a vulnerability that affected a Firefox add-on, presumably the same issue Ormandy raised to the company, on Tuesday night.
We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix.
— LastPass (@LastPass) March 22, 2017
If the company addresses the other two bugs as quickly as it addressed the first, users should expect a fix fairly soon, sometime this week.
As Ormandy pointed out on Twitter Tuesday, Firefox add-ons customarily have to undergo a review by Mozilla before they’re pushed live, something which could be holding up the fix.
That said, it’s unclear exactly when the company plans on fixing the Firefox add-on issue, publishing details around the RCE vulnerability, or acknowledging the bug Ormandy found in 4.1.35. LastPass did not immediately return a request for comment on Wednesday morning.
Since LastPass patched the issue, details around the bug, including a link to Ormandy’s exploit, were made public by Google’s Project Zero on Tuesday. Under Project Zero guidelines, Google releases bug reports either 90 days after a private disclosure, or after a patch has been made broadly available.
Tod Beardsley, research director at Rapid7 thought releasing details around the bug so quickly after disclosing it to the company was a head scratcher however.
“It’s a little puzzling why Google publicly disclosed this issue merely 37 hours after the initial private disclosure to LastPass,” Beardsley said Wednesday, “The issue doesn’t appear to be so grave as to warrant a fast track to disclosure, and even if it was, I would generally expect at least a couple days’ of grace period to allow for a more coordinated disclosure.”
Regardless, the issues appear to be the latest among several bumps in the road for the password manager, especially when it comes to bugs identified by the Project Zero researcher. Ormandy made headlines last summer after he said on Twitter that he had found “a bunch of obvious critical problems” in the service. LastPass was quick to fix the most concerning issue, which like this week’s, could have allowed access to privileged LastPass RPCs, but also led to a complete remote compromise.