A notable security vulnerability has been flagged and cataloged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in Adobe Acrobat Reader, making a critical entry in its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2023-21608 with a CVSS (Common Vulnerability Scoring System) score of 7.8, is categorized as high-severity due to its potential for active exploitation.
Exploitation of the Vulnerability
The root cause of this vulnerability is a use-after-free bug, a type of memory corruption flaw that can lead to serious issues such as remote code execution (RCE). In this case, exploitation of the bug could lead to RCE with the privileges of the logged-in user. Essentially, a malicious actor could exploit this flaw to execute arbitrary code remotely on the affected system, which could further lead to unauthorized access or even data exfiltration. Adobe promptly addressed this flaw by releasing a patch in January 2023. The credit for discovering and reporting this vulnerability goes to HackSys security researchers Ashfaq Ansari and Krishnakant Patil. Their timely reporting has significantly contributed to the mitigation of the potential risks associated with this flaw.
Software Versions Affected
The versions of the software impacted by this vulnerability include:
- Acrobat DC: Versions 22.003.20282 (Win), 22.003.20281 (Mac) and earlier, with the patch released in version 22.003.20310.
- Acrobat Reader DC: Versions 22.003.20282 (Win), 22.003.20281 (Mac) and earlier, with the patch released in version 22.003.20310.
- Acrobat 2020: Version 20.005.30418 and earlier, with the patch released in version 20.005.30436.
- Acrobat Reader 2020: Version 20.005.30418 and earlier, with the patch released in version 20.005.30436.
Conclusion
As of now, the exact details surrounding the exploitation and the identity of the threat actors exploiting CVE-2023-21608 remain elusive. However, the disclosure of a proof-of-concept (PoC) exploit for this flaw in late January 2023 significantly raises concerns regarding potential active exploitation in the wild. This vulnerability is the second major flaw discovered in Adobe Acrobat and Reader that has been exploited in the wild, following CVE-2023-26369. The latter was an out-of-bounds write issue that could lead to code execution by opening a specially crafted PDF document. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the vendor-supplied patches by October 31, 2023, to secure their networks against potential threats that these vulnerabilities pose. The directive underlines the critical importance of timely patch management in thwarting exploitation attempts and ensuring the security and integrity of network infrastructures.