Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Untrusted data is executed as System via a PAC file read by CrashPlanService.exe

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, yes.

Overview

This article provides details about a security vulnerability in the Code42 app.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description 

A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.

Affected versions 

6.9.2 or earlier, 6.8.7 or earlier, 6.7.4 or earlier

Resolution 

This vulnerability has been fixed in Code42 app versions 6.9.4 and later, 6.8.8 and later, and 6.7.5 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

CVE details 

CVE ID CVE-2019-11552
Date published July 11, 2019
Number of vulnerabilities 1
Products Code42 for Enterprise and CrashPlan for Small Business
Affected product versions

6.9.2 or earlier, 6.8.7 or earlier, 6.7.4 or earlier

Vulnerability type Other - Eval Injection
Attack type  Local
Impact Escalation of privileges
Affected components CrashPlan service
Attack vectors Local configuration file
Description of the vulnerability A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.
Additional information Credit for discovery goes to: Vetle Økland, Nagarro AS

Other Code42 resources

 

 

  • Was this article helpful?