Arbitrary code execution on local Windows servers

Overview

This article provides details about a security vulnerability on Code42 servers on Windows.

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows Code42 server.

Affected product and versions

Code42 for Enterprise
Code42 server version 7.0.2 and earlier on Windows

Resolution

This vulnerability is fixed in on-premises Code42 server version 7.0.3. To remediate this vulnerability, upgrade your environment.

CVE details

CVE ID	CVE-2019-16861
Date published	November 15, 2019
Number of vulnerabilities	1
Vulnerability type	Other – Untrusted search path
CVSS v3	Score: 7.8 Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack type	Local
Impact	Code execution
Attack vectors	An attacker could escalate privilege and execute arbitrary code on a local Windows server.
Affected components	Code42 authority server and storage servers
Full description	In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.
Acknowledgements	Thank you to Peleg Hadar of SafeBreach Labs for discovering and reporting this vulnerability.

Other Code42 resources

Code42: Security
If you want to be notified when Code42 identifies a security vulnerability, sign up for email notifications.