Skip to main content
Contact Support

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Arbitrary code execution via malicious Code42 agent proxy configuration

  1. Last updated
  2. Save as PDF

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

Overview

This article provides details about a security vulnerability affecting the Code42 agent installed on user devices.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Technical Support Engineers.

Description

A vulnerability has been identified that could allow an attacker to change a device's proxy configuration to use a malicious proxy auto-config (PAC) file.

Affected product and versions

  • Legacy agent version 8.7.1 and earlier
  • Incydr Professional, Enterprise, Horizon, and Gov F2 are not affected

Resolution

This vulnerability is fixed in Code42 agent version 8.8.0 and later.

  • Code42 cloud environments automatically upgraded to Code42 agent 8.8 in November and December, 2021.
  • On-premises Code42 environments must follow these steps to lock proxy settings to resolve this vulnerability.  

CVE details

CVE ID CVE-2021-43269
Date published January 18, 2022
Number of vulnerabilities 1
Vulnerability type Other – Code execution
CVSS v3

Score: 7.0

Vector string: 3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack type  Remote 
Impact Code execution
Attack vectors An attacker could escalate privilege and execute arbitrary code on a device.
Affected component Code42 agent
Description of the vulnerability

If the device proxy settings were not locked in the Code42 console, a non-administrative attacker could change the Code42 agent proxy configuration to use a malicious proxy auto-config (PAC) file. The malicious PAC file could then potentially execute arbitrary code at an elevated privilege on a device.
Acknowledgements Thank you to Bartłomiej Górkiewicz for discovering and reporting this vulnerability. 

Other Code42 resources

  • Code42: Security

  • If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form. 

    Code42-preferences-4-9-21.png

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Available in CrashPlan Cloud
    Yes
    Available in other/on-premises product plans
    Yes
    Available in Incydr Basic and Advanced
    Yes
    Available in Incydr Pro, Enterprise, and Horizon
    No
    Available in Code42 CrashPlan Premium
    Yes
    Available in Code42 CrashPlan Standard
    Yes
    Available in CrashPlan for Small Business
    Yes
    Stage
    Final
  2. Tags
    1. CVE