CVE-2020-12736
📋 TL;DR
CVE-2020-12736 is a server-side template injection vulnerability in Code42 on-premises servers that allows remote code execution. When administrators create local users via email invitations and modify the email subject line with template language code, malicious code can be executed on the server. This affects Code42 environments with server versions 7.0.4 and earlier.
💻 Affected Systems
- Code42 CrashPlan
- Code42 Incydr
- Code42 environments with on-premises server
📦 What is this software?
Code42 by Code42
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary code with server privileges, potentially leading to data exfiltration, lateral movement, or ransomware deployment.
Likely Case
Administrator credentials compromise leading to unauthorized access to sensitive backup data and potential data theft.
If Mitigated
Limited impact if proper input validation and least privilege principles are followed, with only authorized administrators able to trigger the vulnerability.
🎯 Exploit Status
Exploitation requires administrator privileges to access the user invitation functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.5 and later
Vendor Advisory: https://code42.com/r/support/CVE-2020-12736
Restart Required: Yes
Instructions:
1. Download Code42 server version 7.0.5 or later from official vendor sources. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart Code42 services. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Disable local user creation via email
allPrevent administrators from creating local users via email invitations to eliminate the attack vector.
Configure via Code42 admin console: Settings > User Management > Disable email invitations for local users
Implement input validation
allAdd server-side input validation to sanitize email subject content before processing.
Implement template language escaping in email generation services
🧯 If You Can't Patch
- Restrict administrator access to only trusted personnel and implement multi-factor authentication
- Monitor and audit all user creation activities, especially email invitation modifications
🔍 How to Verify
Check if Vulnerable:
Check Code42 server version via admin console or command line. Versions 7.0.4 and earlier are vulnerable.Check Version:
On Linux: /usr/local/crashplan/bin/CrashPlanEngine -v | grep version
On Windows: Check version in Control Panel > Programs > Code42Verify Fix Applied:
Verify server version is 7.0.5 or later and test that template injection in email subject no longer executes code.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity creating users with modified email subjects
- Template language patterns in email generation logs
- Unexpected process execution from Code42 services
Network Indicators:
- Unusual outbound connections from Code42 server
- Suspicious payloads in HTTP requests to user management endpoints
SIEM Query:
source="code42" AND (event="user_creation" OR event="email_invitation") AND subject CONTAINS "$" OR subject CONTAINS "#"