Permissions vulnerability in Code42 app on Linux
Who is this article for?
Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business
CrashPlan for Small Business, yes.
Code42 for Enterprise, yes.
Link: Product plans and features.
Overview
This article provides details about a security vulnerability in the Code42 app on Linux.
Description
Code42 has identified a vulnerability in the Code42 app on Linux that allows an attacker to create files in
the log directory that the Code42 app accesses as root.
Affected versions
Code42 app version 6.8.3 and earlier on Linux devices
Resolution
This vulnerability has been fixed in Code42 app version 6.8.4 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.
If you are unable to upgrade at this time, additional workarounds may be available depending on your
deployment. Contact our Code42 Customer Champions for more information.
CVE details
| CVE ID | CVE-2018-20131 |
|---|---|
| Date published | December 13, 2018 |
| Number of vulnerabilities | 1 |
| Products | Code42 for Enterprise |
| Affected product versions | Code42 app 6.8.3 and earlier on Linux |
| Vulnerability type | Insecure permissions |
| Attack type | Local |
| Impact | Escalation of privileges |
| Affected components | Linux, security |
| Attack vectors | An attacker can create files in the log directory that the Code42 app accesses as root. |
| Description of the vulnerability | In Code42 app version 6.8.3 and earlier on Linux devices, the Code42 app installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges or show the contents of sensitive files that a regular user would not have access to. |
| Additional information | Thanks to Tiago Cunha of Mimecast for discovering this vulnerability. |
Other Code42 resources
- Code42: Security