Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, yes.

Code42 for Enterprise, yes.

Link: Product plans and features.

Code42 Support

Untrusted data is executed as System via a PAC file read by CrashPlanService.exe

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, yes.

Code42 for Enterprise, yes.

Link: Product plans and features.

Overview

This article provides details about a security vulnerability in the Code42 app.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description 

A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.

Affected versions 

6.9.2 or earlier, 6.8.7 or earlier, 6.7.4 or earlier

Resolution 

This vulnerability has been fixed in Code42 app versions 6.9.4 and later, 6.8.8 and later, and 6.7.5 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

CVE details 

CVE ID CVE-2019-11552
Date published July 11, 2019
Number of vulnerabilities 1
Products Code42 for Enterprise and CrashPlan for Small Business
Affected product versions

6.9.2 or earlier, 6.8.7 or earlier, 6.7.4 or earlier

Vulnerability type Other - Eval Injection
Attack type  Local
Impact Escalation of privileges
Affected components CrashPlan service
Attack vectors Local configuration file
Description of the vulnerability A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.
Additional information Credit for discovery goes to: Vetle Økland, Nagarro AS

Other Code42 resources

 

 

  • Was this article helpful?