Vulnerabilities in Adobe Products Allow Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution.

• Photoshop is Adobe’s flagship image editing software.
• Acrobat is a family of application software and Web services mainly used to create, view and edit PDF documents.
• Illustrator is a vector graphics editor and design program.
• Animate is a multimedia authoring and computer animation program.
• Dreamweaver is used to develop and design websites.
• Magento is a leading provider of cloud commerce innovation to merchants and brands across B2C and B2B industries.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

March 18  – UPDATED OVERVIEW:

Three additional vulnerabilities have been discovered affecting Adobe Acrobat and Reader with the most severe of these vulnerabilities allowing for arbitrary code execution.

THREAT INTELLIGENCE:

There are currently reports that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

SYSTEMS AFFECTED:

• Adobe Photoshop 2020 versions prior to 21.2.5
• Adobe Photoshop 2021 versions prior to 22.2
• Adobe Dreamweaver versions prior to 20.2.1 and 21.1
• Acrobat DC and Reader DC versions prior to 2021.001.20135
• Acrobat 2020 and Acrobat Reader 2020 versions prior to 2020.001.30020
• Acrobat 2017 and Acrobat Reader 2017 versions prior to 2017.011.30190
• Adobe Animate versions prior to 21.0.3
• Adobe Illustrator versions prior to 25.2
• Magento Commerce and Open Source versions prior to 2.4.2
• Magento Commerce and Open Source versions prior to 2.4.1-p1
• Magento Commerce and Open Source versions prior to 2.3.6-p1

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Photoshop, Dreamweaver, Animate, Illustrator, Magento and Acrobat, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Adobe Photoshop

• Out-of-bounds read errors, which could allow for arbitrary code execution. (CVE-2021-21049, CVE-2021-21050)
• Out-of-bounds write error, which could allow for arbitrary code execution. (CVE-2021-21047)
• Buffer overflow vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21048, CVE-2021-21051)

Adobe Acrobat and Reader

• Buffer overflow vulnerabilities, which could allow for arbitrary code execution and denial-of-service. (CVE-2021-21046, CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063)
• Heap-based buffer overflow vulnerability, which could allow for arbitrary code execution. (CVE-2021-21017)
• Path traversal vulnerability, which could allow for arbitrary code execution. (CVE-2021-21037)
• Integer overflow vulnerability, which could allow for arbitrary code execution. (CVE-201-21036)
• Improper access control vulnerability, which could allow privilege escalation. (CVE-2021-21045)
• Out-of-bounds read errors, which could allow for privilege escalation. (CVE-2021-21042, CVE-2021-21034)
• Use-after-free vulnerabilities, which could allow for arbitrary code execution and information disclosure. (CVE-2021-21061, CVE-2021-21041, CVE-2021-21040, CVE-2021-21039, CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021)
• Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21044, CVE-2021-21038)
• NULL pointer dereference vulnerability, which could allow for information disclosure. (CVE-2021-21057)
• Improper input validation, which could allow for information disclosure. (CVE-2021-21060)

Adobe Dreamweaver

• Uncontrolled search path error, which could allow for information disclosure. (CVE-2021-21055)

Adobe Animate

• Out-of-bounds read error, which could allow for arbitrary code execution. (CVE-2021-21052)

Adobe Illustrator

• Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21053, CVE-2021-21054)

Magento

• Insecure direct object reference (IDOR) vulnerabilities, which could allow for unauthorized access to restricted resources. (CVE-2021-21012, CVE-2021-21013, CVE-2021-21022)
• File upload allow list bypass vulnerability, which could allow for arbitrary code execution. (CVE-2021-21014)
• Security bypass vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21015, CVE-2021-21016, CVE-2021-21025)
• Command injection vulnerability, which could allow for arbitrary code execution. (CVE-2021-21018)
• XML injection vulnerability, which could allow for arbitrary code execution. (CVE-2021-21019)
• Access control bypass vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21020)
• Stored XXS vulnerabilities, which could allow for arbitrary JavaScript execution in the browser. (CVE-2021-21023, CVE-2021-21030)
• Blind SQL injection vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21024)
• Improper authorization vulnerability, which could allow for unauthorized access to restricted resources. (CVE-2021-21026)
• CSRF vulnerability, which could allow for unauthorized modification of customer metadata. (CVE-2021-21027)
• Reflected XXS vulnerability, which could allow for arbitrary JavaScript execution in the browser. (CVE-2021-21029)
• Insufficient invalidation of user session vulnerabilities, which could allow for unauthorized access to restricted resources. (CVE-2021-21031, CVE-2021-21032)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

March 18  – UPDATED TECHNICAL SUMMARY:

Adobe Acrobat and Reader

• Out-of-bounds write errors, which could allow for arbitrary code execution. (CVE-2021-21086)
• Use-after-free vulnerabilities, which could allow for arbitrary code execution. (CVE-2021-21088)
• Out-of-bounds read errors, which could allow for privilege escalation. (CVE-2021-21089)

RECOMMENDATIONS:

We recommend the following actions be taken:

• Install the updates provided by Adobe immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Adobe:

https://helpx.adobe.com/security/products/dreamweaver/apsb21-13.html

https://helpx.adobe.com/security/products/illustrator/apsb21-12.html

https://helpx.adobe.com/security/products/animate/apsb21-11.html

https://helpx.adobe.com/security/products/photoshop/apsb21-10.html

https://helpx.adobe.com/security/products/magento/apsb21-08.html

https://helpx.adobe.com/security/products/acrobat/apsb21-09.html

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21012

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21013

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21014

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21015

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21016

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21019

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21020

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21021

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21023

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21024

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21025

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21026

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21027

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21028

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21029

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21030

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21031

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21032

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21033

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21034

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21035

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21036

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21037

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21038

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21039

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21040

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21041

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21042

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21044

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21045

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21048

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21049

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21050

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21051

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21052

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21053

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21054

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21055

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21057

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21058

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21059

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21061

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21062

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21063

March 18  – UPDATED REFERENCES:

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21086

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21088

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21089