Who is this article for?
CrashPlan for Enterprise, yes.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article provides details about a security vulnerability affecting Code42 apps on Windows.
To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.
If you have questions or concerns, contact our Customer Champions for support.
A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows device running the Code42 app.
Affected product and versions
- Code42 for Enterprise
- Code42 app version 7.0.2 and earlier on Windows
|Date published||November 15, 2019|
|Number of vulnerabilities||1|
|Vulnerability type||Other – Untrusted search path|
Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
|Attack vectors||An attacker could escalate privilege and execute arbitrary code on a local Windows device.|
|Affected component||Code42 app|
|Description of the vulnerability||
In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local machine.
|Acknowledgements||Thank you to Maciej Oszutowski for discovering and reporting this vulnerability.|