Arbitrary code execution on local Windows devices

Overview

This article provides details about a security vulnerability affecting Code42 apps on Windows.

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows device running the Code42 app.

Affected product and versions

Code42 for Enterprise
Code42 app version 7.0.2 and earlier on Windows

Resolution

This vulnerability is fixed in Code42 app version 7.0.3 and later. To remediate this vulnerability, upgrade your devices.

CVE details

CVE ID	CVE-2019-16860
Date published	November 15, 2019
Number of vulnerabilities	1
Vulnerability type	Other – Untrusted search path
CVSS v3	Score: 7.8 Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack type	Local
Impact	Code execution
Attack vectors	An attacker could escalate privilege and execute arbitrary code on a local Windows device.
Affected component	Code42 app
Description of the vulnerability	In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local machine.
Acknowledgements	Thank you to Maciej Oszutowski for discovering and reporting this vulnerability.

Other Code42 resources

Code42: Security
If you want to be notified when Code42 identifies a security vulnerability, sign up for email notifications.