Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Permissions vulnerability in Code42 app on Linux

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, yes.

Overview

This article provides details about a security vulnerability in the Code42 app on Linux.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

Code42 has identified a vulnerability in the Code42 app on Linux that allows an attacker to create files in
the log directory that the Code42 app accesses as root.

Affected versions

Code42 app version 6.8.3 and earlier on Linux devices

Resolution

This vulnerability has been fixed in Code42 app version 6.8.4 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

If you are unable to upgrade at this time, additional workarounds may be available depending on your
deployment. Contact our Code42 Customer Champions for more information.

CVE details

CVE ID CVE-2018-20131
Date published December 13, 2018
Number of vulnerabilities 1
Products Code42 for Enterprise
Affected product versions Code42 app 6.8.3 and earlier on Linux
Vulnerability type Insecure permissions
Attack type  Local
Impact Escalation of privileges
Affected components Linux, security
Attack vectors An attacker can create files in the log directory that the Code42 app accesses as root.
Description of the vulnerability In Code42 app version 6.8.3 and earlier on Linux devices, the Code42 app installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges or show the contents of sensitive files that a regular user would not have access to.
Additional information Thanks to Tiago Cunha of Mimecast for discovering this vulnerability. 

Other Code42 resources