CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Adobe Acrobat and Reader Could Allow for Arbitrary Code Execution (APSB19-49)

MS-ISAC ADVISORY NUMBER:

2019-109

DATE(S) ISSUED:

10/15/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Acrobat and Adobe Reader, the most severe of which could allow for arbitrary code execution. Adobe Acrobat and Reader allow a user to view, create, manipulate, print and manage files in Portable Document Format (PDF). Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Acrobat DC (Continuous track) for Windows & macOS version 2019.012.20040 and earlier versions
  • Acrobat Reader DC(Continuous track) for Windows & macOS version 2019.012.20040 and earlier versions
  • Acrobat 2017(Classic 2017 track) for Windows & macOS version 2017.011.30148 and earlier versions
  • Acrobat Reader 2017(Classic 2017 track) for Windows & macOS version 2017.011.30148 and earlier versions
  • Acrobat 2015 (Classic 2015 track) for Windows & macOS version 2015.006.30503 and earlier versions
  • Acrobat Reader 2015(Classic 2015 track) for Windows & macOS version 2015.006.30503 and earlier versions

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Adobe Acrobat and Adobe Reader, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:

  • Multiple Out-of-Bounds Read vulnerabilities that could allow for Information Disclosure. (CVE-2019-8164, CVE-2019-8168, CVE-2019-8172, CVE-2019-8173, CVE-2019-8064, CVE-2019-8182, CVE-2019-8184, CVE-2019-8185, CVE-2019-8189, CVE-2019-8163, CVE-2019-8190, CVE-2019-8193, CVE-2019-8194, CVE-2019-8198, CVE-2019-8201, CVE-2019-8202, CVE-2019-8204, CVE-2019-8207, CVE-2019-8216, CVE-2019-8218, CVE-2019-8222)
  • Multiple Out-of-Bounds Write vulnerabilities that could allow for Arbitrary Code Execution. (CVE-2019-8171, CVE-2019-8186, CVE-2019-8165, CVE-2019-8191, CVE-2019-8199, CVE-2019-8206)
  • Multiple Use After Free vulnerabilities that could allow for Arbitrary Code Execution. (CVE-2019-8175, CVE-2019-8176, CVE-2019-8177, CVE-2019-8178, CVE-2019-8179, CVE-2019-8180, CVE-2019-8181, CVE-2019-8187, CVE-2019-8188, CVE-2019-8192, CVE-2019-8203, CVE-2019-8208, CVE-2019-8209, CVE-2019-8210, CVE-2019-8211, CVE-2019-8212, CVE-2019-8213, CVE-2019-8214, CVE-2019-8215, CVE-2019-8217, CVE-2019-8219, CVE-2019-8220, CVE-2019-8221, CVE-2019-8223, CVE-2019-8224, CVE-2019-8225)
  • Multiple Heap Overflow vulnerabilities that could allow for Arbitrary Code Execution. (CVE-2019-8170, CVE-2019-8183, CVE-2019-8197)
  • A Buffer Overrun vulnerability that could allow for Arbitrary Code Execution. (CVE-2019-8166)
  • A Cross-site Scripting vulnerability that could allow for Information Disclosure. (CVE-2019-8160)
  • A Race Condition vulnerability that could allow for Arbitrary Code Execution. (CVE-2019-8162)
  • A Incomplete Implementation of Security Mechanism vulnerability that could allow for Information Disclosure. (CVE-2019-8226)
  • Multiple Type Confusion vulnerabilities that could allow for Arbitrary Code Execution. (CVE-2019-8161, CVE-2019-8167, CVE-2019-8169, CVE-2019-8200)
  • Multiple Untrusted Pointer Dereference vulnerabilities that could allow for Arbitrary Code Execution. (CVE-2019-8174, CVE-2019-8195, CVE-2019-8196, CVE-2019-8205)

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Install the updates provided by Adobe immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8200 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8212 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8218 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8226

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0