Who is this article for?
Incydr Professional, Enterprise, Horizon, and Gov F2, yes.
Incydr Basic, Advanced, and Gov F1, yes.
CrashPlan Cloud, yes.
Retired product plans, yes.
CrashPlan for Small Business, no.
This article provides details about a security vulnerability on Code42 servers on Windows.
To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.
If you have questions or concerns, contact our Customer Champions for support.
A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows Code42 server.
Affected product and versions
- Code42 for Enterprise
- Code42 server version 7.0.2 and earlier on Windows
|Date published||November 15, 2019|
|Number of vulnerabilities||1|
|Vulnerability type||Other – Untrusted search path|
Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
|Attack vectors||An attacker could escalate privilege and execute arbitrary code on a local Windows server.|
|Affected components||Code42 authority server and storage servers|
In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.
|Acknowledgements||Thank you to Peleg Hadar of SafeBreach Labs for discovering and reporting this vulnerability.|