Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2021-025

DATE(S) ISSUED:

02/10/2021

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution.

  • Photoshop is Adobe’s flagship image editing software.
  • Acrobat is a family of application software and Web services mainly used to create, view and edit PDF documents.
  • Illustrator is a vector graphics editor and design program.
  • Animate is a multimedia authoring and computer animation program.
  • Dreamweaver is used to develop and design websites.
  • Magento is a leading provider of cloud commerce innovation to merchants and brands across B2C and B2B industries.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently reports that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

SYSTEMS AFFECTED:

  • Adobe Photoshop 2020 versions prior to 21.2.5
  • Adobe Photoshop 2021 versions prior to 22.2
  • Adobe Dreamweaver versions prior to 20.2.1 and 21.1
  • Acrobat DC and Reader DC versions prior to 2021.001.20135
  • Acrobat 2020 and Acrobat Reader 2020 versions prior to 2020.001.30020
  • Acrobat 2017 and Acrobat Reader 2017 versions prior to 2017.011.30190
  • Adobe Animate versions prior to 21.0.3
  • Adobe Illustrator versions prior to 25.2
  • Magento Commerce and Open Source versions prior to 2.4.2
  • Magento Commerce and Open Source versions prior to 2.4.1-p1
  • Magento Commerce and Open Source versions prior to 2.3.6-p1

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
MEDIUM

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Photoshop, Dreamweaver, Animate, Illustrator, Magento and Acrobat, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:
Adobe Photoshop 21.2.5

  • Out-of-bounds read errors, which could allow for arbitrary code execution. (CVE-2021-21049, CVE-2021-21050)
  • Out-of-bounds write error, which could allow for arbitrary code execution. (CVE-2021-21047)
  • Buffer overflow vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21048, CVE-2021-21051)

Adobe Acrobat and Reader

  • Buffer overflow vulnerabilities, which could allow for arbitrary code execution and denial-of-service. (CVE-2021-21046, CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063)
  • Heap-based buffer overflow vulnerability, which could allow for arbitrary code execution. (CVE-2021-21017)
  • Path traversal vulnerability, which could allow for arbitrary code execution. (CVE-2021-21037)
  • Integer overflow vulnerability, which could allow for arbitrary code execution. (CVE-201-21036)
  • Improper access control vulnerability, which could allow privilege escalation. (CVE-2021-21045)
  • Out-of-bounds read errors, which could allow for privilege escalation. (CVE-2021-21042, CVE-2021-21034)
  • Use-after-free vulnerabilities, which could allow for arbitrary code execution and information disclosure. (CVE-2021-21061, CVE-2021-21041, CVE-2021-21040, CVE-2021-21039, CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021)
  • Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21044, CVE-2021-21038)
  • NULL pointer dereference vulnerability, which could allow for information disclosure. (CVE-2021-21057)
  • Improper input validation, which could allow for information disclosure. (CVE-2021-21060)

Adobe Dreamweaver 20.2.1

  • Uncontrolled search path error, which could allow for information disclosure. (CVE-2021-21055)

Adobe Animate 21.0.3

  • Out-of-bounds read error, which could allow for arbitrary code execution. (CVE-2021-21052)

Adobe Illustrator 25.2

  • Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21053, CVE-2021-21054)

Magento

  • Insecure direct object reference (IDOR) vulnerabilities, which could allow for unauthorized access to restricted resources. (CVE-2021-21012, CVE-2021-21013, CVE-2021-21022)
  • File upload allow list bypass vulnerability, which could allow for arbitrary code execution. (CVE-2021-21014)
  • Security bypass vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21015, CVE-2021-21016, CVE-2021-21025)
  • Command injection vulnerability, which could allow for arbitrary code execution. (CVE-2021-21018)
  • XML injection vulnerability, which could allow for arbitrary code execution. (CVE-2021-21019)
  • Access control bypass vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21020)
  • Stored XXS vulnerabilities, which could allow for arbitrary JavaScript execution in the browser. (CVE-2021-21023, CVE-2021-21030)
  • Blind SQL injection vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21024)
  • Improper authorization vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21026)
  • CSRF vulnerability, which could allow for unauthorized modification of customer metadata. (CVE-2021-21027)
  • Reflected XXS vulnerability, which could allow for arbitrary JavaScript execution in the browser. (CVE-2021-21029)
  • Insufficient invalidation of user session vulnerabilities, which could allow for unauthorized access to restricted resources. (CVE-2021-21031, CVE-2021-21032)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Install the updates provided by Adobe immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21055 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21053 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21054 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21052 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21049 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21050 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21048 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21051 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21047 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21012 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21013 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21014 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21016 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21023 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21026 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21027 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21030 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21031 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21032

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0