Who is this article for?
CrashPlan for Enterprise, yes.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article provides details about a security vulnerability on Code42 servers on Windows.
To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.
If you have questions or concerns, contact our Customer Champions for support.
A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows Code42 server.
Affected product and versions
- Code42 for Enterprise
- Code42 server version 7.0.2 and earlier on Windows
|Date published||November 15, 2019|
|Number of vulnerabilities||1|
|Vulnerability type||Other – Untrusted search path|
Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
|Attack vectors||An attacker could escalate privilege and execute arbitrary code on a local Windows server.|
|Affected components||Code42 authority server and storage servers|
In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.
|Acknowledgements||Thank you to Peleg Hadar of SafeBreach Labs for discovering and reporting this vulnerability.|