Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Privilege Escalation in LoginToken API

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Overview

This article provides details about a security vulnerability where an administrator can impersonate users with a greater set of permissions than themselves in order to perform a web restore.

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Technical Support Engineers.

Description

An administrator without web restore permission but with the ability to manage users in an organization can impersonate a user with web restore permission.  

When requesting the token to do a web restore, an administrator with permission to manage a user could request the token of that user. If the administrator was not authorized to perform web restores but the user was authorized to perform web restores, this would allow the administrator to impersonate the user with greater permissions. In order to exploit this vulnerability, the user would have to be an administrator with access to manage an organization with a user with greater permissions than themselves.

Affected versions

Code42 Enterprise 6.8.4 or earlier

Resolution

This vulnerability has been fixed in Code42 agent version 6.8.5 and later. To remediate this vulnerability, upgrade the Code42 agents in your environment.

If you are unable to upgrade at this time, a workaround is to segregate higher privileged administrators in separate organizations. Contact our Code42 Customer Champions for more information.

CVE details

CVE ID CVE-2019-11553
Date published July 11, 2019
Number of vulnerabilities 1
Products Code42 for Enterprise
Affected product versions Code42 for Enterprise 6.8.4 and earlier
Vulnerability type Incorrect Access Control
Attack type  Remote
Impact Escalation of privileges
Affected components Code42 for Enterprise authority service
Attack vectors An administrator can impersonate users with a greater set of permissions than themselves in order to perform a web restore
Description of the vulnerability

An administrator can impersonate users with a greater set of permissions than themselves in order to perform a web restore.

When you request the token to do a web restore, you can request that token as a different user if you were an admin that could manage the user you were impersonating, which left it possible for you to impersonate a user with greater permissions than the admin who requested the token.

In order for this to be available, the user would have to be an administrator with access to manage an organization with a user with greater permissions than themselves.

Additional information Credit for discovery goes to: Ryan Winkelmaier of NCC Group

Other Code42 resources

  • Code42: Security
  • If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form. 

    Code42-preferences-4-9-21.png

  • Was this article helpful?