Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

Code42 Support

Arbitrary code execution on local Windows devices

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

Overview

This article provides details about a security vulnerability affecting Code42 apps on Windows.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows device running the Code42 app.

Affected product and versions

  • Code42 for Enterprise 
  • Code42 app version 7.0.2 and earlier on Windows

Resolution

This vulnerability is fixed in Code42 app version 7.0.3 and later. To remediate this vulnerability, upgrade your devices

CVE details

CVE ID CVE-2019-16860
Date published November 15, 2019
Number of vulnerabilities 1
Vulnerability type Other – Untrusted search path
CVSS v3

Score: 7.8

Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack type  Local 
Impact Code execution
Attack vectors An attacker could escalate privilege and execute arbitrary code on a local Windows device.
Affected component Code42 app
Description of the vulnerability

In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local machine.  

Acknowledgements Thank you to Maciej Oszutowski for discovering and reporting this vulnerability. 

Other Code42 resources