Skip to main content
Contact Support

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1
CrashPlan Cloud
CrashPlan for Small Business
Retired product plans

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, yes.

Retired product plans, yes.

CrashPlan for Small Business, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Permissions vulnerability in Code42 app on Linux

  1. Last updated
  2. Save as PDF

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1
CrashPlan Cloud
CrashPlan for Small Business
Retired product plans

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, yes.

Retired product plans, yes.

CrashPlan for Small Business, yes.

Overview

This article provides details about a security vulnerability in the Code42 app on Linux.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

Code42 has identified a vulnerability in the Code42 app on Linux that allows an attacker to create files in
the log directory that the Code42 app accesses as root.

Affected versions

Code42 app version 6.8.3 and earlier on Linux devices

Resolution

This vulnerability has been fixed in Code42 app version 6.8.4 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

If you are unable to upgrade at this time, additional workarounds may be available depending on your
deployment. Contact our Code42 Customer Champions for more information.

CVE details

CVE ID CVE-2018-20131
Date published December 13, 2018
Number of vulnerabilities 1
Products Code42 for Enterprise
Affected product versions Code42 app 6.8.3 and earlier on Linux
Vulnerability type Insecure permissions
Attack type  Local
Impact Escalation of privileges
Affected components Linux, security
Attack vectors An attacker can create files in the log directory that the Code42 app accesses as root.
Description of the vulnerability In Code42 app version 6.8.3 and earlier on Linux devices, the Code42 app installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges or show the contents of sensitive files that a regular user would not have access to.
Additional information Thanks to Tiago Cunha of Mimecast for discovering this vulnerability. 

Other Code42 resources

  • Code42: Security

  • If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form. 

    Code42-preferences-4-9-21.png