**CRITICAL RISK** CVE-2023-21608 Adobe Acrobat (Multiple Editions) – Arbitrary Code Execution via ‘Use After Free’ (Memory Access Violation) Vulnerability in resetForm Method

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files.

Background & Context

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files. The family comprises Acrobat Reader (formerly Reader), Acrobat (formerly Exchange) and Acrobat.com.

The basic Acrobat Reader, available for several desktop and mobile platforms, is freeware; it supports viewing, printing, scaling or resizing and annotating of PDF files. Additional, “Premium”, services are available on paid subscription. The commercial proprietary Acrobat, available for Microsoft Windows and macOS only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files. Acrobat.com complements the family with a variety of enterprise content management and file hosting services.

 

Vulnerability Summary

Adobe Acrobat Reader versions are affected by a Use After Free vulnerability. Memory is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behaviour in the process.

 

Impact If Exploited

As a result of the Use After Free, function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-10-11. Exploits have been available in the wild on sites such as GitHub since at least 2023-02-02. Prioritisation should be given to remediation in any impacted environment.

 

Affected Product Versions

  • Adobe Acrobat DC version 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
  • Adobe Acrobat Reader DC version 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
  • Adobe Acrobat 2020 version 20.005.30418 and earlier versions (Windows & macOS)
  • Adobe Acrobat Reader 2020 version 20.005.30418 and earlier versions (Windows & macOS)

Remediation

Official Fix & Remediation Guidance

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. Customers are advised to upgrade to the latest version of Adobe Acrobat Reader. Adobe recommends users update their software installations to the latest versions by following the instructions below.

The latest product versions are available to end users via one of the following methods:

  • Users can update their product installations manually by choosing Help > Check for Updates.
  • The products will update automatically, without requiring user intervention, when updates are detected.
  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center (https://get.adobe.com/reader).

For IT administrators (managed environments):

  • Refer to the specific release note version for links to installers.
  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

References:

Category: Memory Access Violation

 

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch