CVE-2019-11552 in Code42
Summary
by MITRE
Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/08/2020
The vulnerability identified as CVE-2019-11552 affects Code42 Enterprise and Crashplan for Small Business client software across multiple version ranges including 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4. This represents a critical code execution flaw that stems from improper input validation within the proxy auto-configuration file handling mechanism. The vulnerability specifically allows a less privileged user to craft malicious proxy configuration files that can subsequently be executed with elevated privileges, effectively enabling privilege escalation attacks.
The technical flaw manifests through the insecure processing of proxy auto-configuration files where the application fails to properly sanitize or validate user-supplied input before executing proxy configuration scripts. This vulnerability falls under the CWE-94 category of Code Injection, specifically representing an evaluation injection vulnerability where untrusted data is passed to an interpreter as part of a command or query. The flaw exists because the system does not properly isolate or validate proxy configuration parameters, allowing malicious input to be interpreted and executed as code rather than being treated as simple configuration data.
The operational impact of this vulnerability is severe as it enables a low-privilege attacker to escalate their privileges and execute arbitrary code with the elevated permissions of the service user. This creates a significant security risk for organizations relying on these backup solutions, as compromised systems can be used to gain deeper access to network resources, potentially leading to full system compromise or lateral movement within the network. The vulnerability particularly affects enterprise environments where these backup clients are deployed across multiple endpoints, providing attackers with multiple potential entry points.
From an attack perspective, this vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1068 for Exploitation for Privilege Escalation. The attack chain typically involves an initial compromise of a user account followed by the deployment of malicious proxy configuration files that exploit the eval injection vulnerability. Organizations should implement immediate mitigations including updating to the patched versions mentioned in the CVE, implementing strict access controls for proxy configuration file management, and monitoring for unusual proxy configuration changes. Network segmentation and privilege minimization practices should also be enforced to limit the potential impact of such compromises. The vulnerability demonstrates the critical importance of input validation and proper privilege separation in client-side applications that handle network configuration data.