MS-ISAC ADVISORY NUMBER:
2021-025
DATE(S) ISSUED:
02/10/2021
SUBJECT:
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution.
- Photoshop is Adobe’s flagship image editing software.
- Acrobat is a family of application software and Web services mainly used to create, view and edit PDF documents.
- Illustrator is a vector graphics editor and design program.
- Animate is a multimedia authoring and computer animation program.
- Dreamweaver is used to develop and design websites.
- Magento is a leading provider of cloud commerce innovation to merchants and brands across B2C and B2B industries.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLIGENCE:
There are currently reports that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.
SYSTEMS AFFECTED:
- Adobe Photoshop 2020 versions prior to 21.2.5
- Adobe Photoshop 2021 versions prior to 22.2
- Adobe Dreamweaver versions prior to 20.2.1 and 21.1
- Acrobat DC and Reader DC versions prior to 2021.001.20135
- Acrobat 2020 and Acrobat Reader 2020 versions prior to 2020.001.30020
- Acrobat 2017 and Acrobat Reader 2017 versions prior to 2017.011.30190
- Adobe Animate versions prior to 21.0.3
- Adobe Illustrator versions prior to 25.2
- Magento Commerce and Open Source versions prior to 2.4.2
- Magento Commerce and Open Source versions prior to 2.4.1-p1
- Magento Commerce and Open Source versions prior to 2.3.6-p1
RISK:
Government:
- Large and medium government entities: High
- Small government entities: Medium
Businesses:
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Photoshop, Dreamweaver, Animate, Illustrator, Magento and Acrobat, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:
Adobe Photoshop
- Out-of-bounds read errors, which could allow for arbitrary code execution. (CVE-2021-21049, CVE-2021-21050)
- Out-of-bounds write error, which could allow for arbitrary code execution. (CVE-2021-21047)
- Buffer overflow vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21048, CVE-2021-21051)
Adobe Acrobat and Reader
- Buffer overflow vulnerabilities, which could allow for arbitrary code execution and denial-of-service. (CVE-2021-21046, CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063)
- Heap-based buffer overflow vulnerability, which could allow for arbitrary code execution. (CVE-2021-21017)
- Path traversal vulnerability, which could allow for arbitrary code execution. (CVE-2021-21037)
- Integer overflow vulnerability, which could allow for arbitrary code execution. (CVE-201-21036)
- Improper access control vulnerability, which could allow privilege escalation. (CVE-2021-21045)
- Out-of-bounds read errors, which could allow for privilege escalation. (CVE-2021-21042, CVE-2021-21034)
- Use-after-free vulnerabilities, which could allow for arbitrary code execution and information disclosure. (CVE-2021-21061, CVE-2021-21041, CVE-2021-21040, CVE-2021-21039, CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021)
- Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21044, CVE-2021-21038)
- NULL pointer dereference vulnerability, which could allow for information disclosure. (CVE-2021-21057)
- Improper input validation, which could allow for information disclosure. (CVE-2021-21060)
Adobe Dreamweaver
- Uncontrolled search path error, which could allow for information disclosure. (CVE-2021-21055)
Adobe Animate
- Out-of-bounds read error, which could allow for arbitrary code execution. (CVE-2021-21052)
Adobe Illustrator
- Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21053, CVE-2021-21054)
Magento
- Insecure direct object reference (IDOR) vulnerabilities, which could allow for unauthorized access to restricted resources. (CVE-2021-21012, CVE-2021-21013, CVE-2021-21022)
- File upload allow list bypass vulnerability, which could allow for arbitrary code execution. (CVE-2021-21014)
- Security bypass vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21015, CVE-2021-21016, CVE-2021-21025)
- Command injection vulnerability, which could allow for arbitrary code execution. (CVE-2021-21018)
- XML injection vulnerability, which could allow for arbitrary code execution. (CVE-2021-21019)
- Access control bypass vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21020)
- Stored XXS vulnerabilities, which could allow for arbitrary JavaScript execution in the browser. (CVE-2021-21023, CVE-2021-21030)
- Blind SQL injection vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21024)
- Improper authorization vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21026)
- CSRF vulnerability, which could allow for unauthorized modification of customer metadata. (CVE-2021-21027)
- Reflected XXS vulnerability, which could allow for arbitrary JavaScript execution in the browser. (CVE-2021-21029)
- Insufficient invalidation of user session vulnerabilities, which could allow for unauthorized access to restricted resources. (CVE-2021-21031, CVE-2021-21032)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Install the updates provided by Adobe immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
REFERENCES:
Adobe:
CVE: