Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

Code42 Support

Arbitrary code execution on local Windows servers

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

Overview

This article provides details about a security vulnerability on Code42 servers on Windows.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that may allow an attacker to escalate privilege and execute arbitrary code on a local Windows Code42 server. 

Affected product and versions

  • Code42 for Enterprise
  • Code42 server version 7.0.2 and earlier on Windows

Resolution

This vulnerability is fixed in on-premises Code42 server version 7.0.3. To remediate this vulnerability, upgrade your environment

CVE details

CVE ID CVE-2019-16861
Date published November 15, 2019
Number of vulnerabilities 1
Vulnerability type Other – Untrusted search path
CVSS v3

Score: 7.8

Vector string: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack type  Local
Impact Code execution
Attack vectors An attacker could escalate privilege and execute arbitrary code on a local Windows server.
Affected components Code42 authority server and storage servers
Full description

In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server. 

Acknowledgements Thank you to Peleg Hadar of SafeBreach Labs for discovering and reporting this vulnerability. 

Other Code42 resources