Untrusted data is executed as System via a PAC file read by CrashPlanService.exe

Overview

This article provides details about a security vulnerability in the Code42 agent.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Technical Support Engineers.

Description 

A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.

Affected versions 

6.9.2 or earlier, 6.8.7 or earlier, 6.7.4 or earlier

Resolution 

This vulnerability has been fixed in Code42 agent versions 6.9.4 and later, 6.8.8 and later, and 6.7.5 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

CVE details 

CVE ID CVE-2019-11552
Date published July 11, 2019
Number of vulnerabilities 1
Products Code42 for Enterprise and CrashPlan for Small Business
Affected product versions

6.9.2 or earlier, 6.8.7 or earlier, 6.7.4 or earlier

Vulnerability type Other - Eval Injection
Attack type  Local
Impact Escalation of privileges
Affected components CrashPlan service
Attack vectors Local configuration file
Description of the vulnerability A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.
Additional information Credit for discovery goes to: Vetle Økland, Nagarro AS

Other Code42 resources

  • Code42: Security
  • If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form. 

    Code42-preferences-4-9-21.png