Zero-Day Advisory

Fortinet Discovers CrashPlan Backup Authentication Bypass Vulnerability

Summary

Fortinet's FortiGuard Labs has discovered an Authentication Bypass vulnerability in CrashPlan cloud storage.

CrashPlan is for small business and provides easy-to-use, unlimited automatic data backup and recovery. It helps small businesses and organizations recover fast from any worst-case scenario, no matter whether it is a disaster, simple human error, a stolen laptop or ransomware. CrashPlan data security solution is a product of Code42, an industry leader protecting the critical data of more than 47,000 world-class organizations, including the largest global brands.

CrashPlan cloud storage is susceptible to an Authentication Bypass vulnerability. The issue occurs when the CrashPlan cloud storage handles a specific URL request copied from other user. A remote attacker may be able to exploit this to bypass authentication, leading to further attacks.

Solutions

 Users should apply the solution provided by CrashPlan.

Timeline

Fortinet reported the vulnerability to CrashPlan on January 6, 2016.

CrashPlan released patch for it on May 18, 2018.

Acknowledgement

This vulnerability was discovered by Honggang Ren of Fortinet's FortiGuard Labs.

IPS Subscription

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.