Zero-Day Advisory
Fortinet Discovers CrashPlan Backup Authentication Bypass Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered an Authentication Bypass vulnerability in CrashPlan cloud storage.
CrashPlan is for small business and provides easy-to-use, unlimited automatic data backup and recovery. It helps small businesses and organizations recover fast from any worst-case scenario, no matter whether it is a disaster, simple human error, a stolen laptop or ransomware. CrashPlan data security solution is a product of Code42, an industry leader protecting the critical data of more than 47,000 world-class organizations, including the largest global brands.
CrashPlan cloud storage is susceptible to an Authentication Bypass vulnerability. The issue occurs when the CrashPlan cloud storage handles a specific URL request copied from other user. A remote attacker may be able to exploit this to bypass authentication, leading to further attacks.
Solutions
Users should apply the solution provided by CrashPlan.
Timeline
Fortinet reported the vulnerability to CrashPlan on January 6, 2016.
CrashPlan released patch for it on May 18, 2018.