Who is this article for?
CrashPlan for Small Business, yes.
Code42 for Enterprise, yes.
Link: Product plans and features.
This article provides details about a security vulnerability in the Code42 app on Linux.
To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.
If you have questions or concerns, contact our Customer Champions for support.
Code42 has identified a vulnerability in the Code42 app on Linux that allows an attacker to create files in
the log directory that the Code42 app accesses as root.
Code42 app version 6.8.3 and earlier on Linux devices
This vulnerability has been fixed in Code42 app version 6.8.4 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.
If you are unable to upgrade at this time, additional workarounds may be available depending on your
deployment. Contact our Code42 Customer Champions for more information.
|Date published||December 13, 2018|
|Number of vulnerabilities||1|
|Products||Code42 for Enterprise|
|Affected product versions||Code42 app 6.8.3 and earlier on Linux|
|Vulnerability type||Insecure permissions|
|Impact||Escalation of privileges|
|Affected components||Linux, security|
|Attack vectors||An attacker can create files in the log directory that the Code42 app accesses as root.|
|Description of the vulnerability||In Code42 app version 6.8.3 and earlier on Linux devices, the Code42 app installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges or show the contents of sensitive files that a regular user would not have access to.|
|Additional information||Thanks to Tiago Cunha of Mimecast for discovering this vulnerability.|