LastPass Firefox Extension 4.0 < 4.1.21a Message Hijacking

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

A password manager installed on the remote host is affected by a
remote message hijacking vulnerability.

Description :

According to its version, the LastPass Firefox extension installed on
the remote Windows host is 4.0.x prior to 4.1.21a. It is, therefore,
affected by a message hijacking vulnerability due to improper
validation of messages sent between the extension and a privileged
iframe. An unauthenticated, remote attacker can exploit this issue, by
convincing a user into loading a specially crafted web page that
programmatically clicks a LastPass modified input element, to take
full control of the LastPass extension, including creating and
deleting files, executing scripts, and disclosing passwords.

See also :

https://bugs.chromium.org/p/project-zero/issues/detail?id=884
https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
http://thehackernews.com/2016/07/lastpass-password-manager.html

Solution :

Upgrade to LastPass Firefox extension version 4.1.21a or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 92660 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now