Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

DESCRIPTION:
Multiple vulnerabilities have been discovered in Adobe Products, the
most severe of which could allow for arbitrary code execution.

* Acrobat and Reader is a family of application software and Web
services mainly used to create, view, and edit PDF documents.
* Animate is a multimedia authoring computer animation program.
* Experience Manager is a content management solution for building
websites, mobile apps, and forms.
* InCopy is a professional word processor.
* InDesign is an industry-leading layout and page design software for
print and digital media.
* Illustrator is a vector graphics editor and design program.
*
Successful exploitation of the most severe of these vulnerabilities
could allow for arbitrary code execution. Depending on the privileges
associated with the user an attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than those who operate with administrative
user rights.

IMPACT:
Multiple vulnerabilities have been discovered in Adobe Acrobat, Animate,
Illustrator, and InDesign, the most severe of which could allow for
arbitrary code execution. Details of these vulnerabilities are as follows:

Adobe Acrobat and Reader
* Out-of-bounds read error vulnerability, which could allow for memory
leak. (CVE-2021-28557)
* Out-of-bounds read error vulnerabilities, which could allow for
arbitrary code execution. (CVE-2021-28555, CVE-2021-28565)
* Out-of-bounds write error vulnerabilities, which could allow for
arbitrary code execution. (CVE-2021-28564, CVE-2021-21044,
CVE-2021-21038, CVE-2021-21086)

Adobe Animate
* Use-after-free error vulnerability, which could allow for arbitrary
code execution. (CVE-2021-28578).
* Out-of-bound write error vulnerability, which could allow for
arbitrary code execution. (CVE-2021-28577)
* Out-of-bounds read error vulnerabilities, which could allow for
information disclosure. (CVE-2021-28572, CVE-2021-28573, CVE-2021-28574,
CVE-2021-28575, CVE-2021-28576)

Adobe Experience Manager
* Improper access control vulnerability, which could allow for
denial-of-service. (CVE-2021-21083)
* Cross-site scripting vulnerability, which could allow for arbitrary
JavaScript execution. (CVE-2021-21084)

Adobe InCopy
* Path traversal vulnerability, which could allow for arbitrary code
execution. (CVE-2021-21090)

Adobe InDesign
* Out-of-bounds write error vulnerability, which could allow for
arbitrary code execution. (CVE-2021-21098, CVE-2021-21099, CVE-2021-21043)

Adobe Illustrator
* Out-of-bounds write error vulnerability, which could allow for
arbitrary code execution. (CVE-2021-21101)
* Path traversal vulnerability, which could allow for arbitrary code
execution. (CVE-2021-21102)
* Memory corruption error vulnerabilities, which could allow for
arbitrary code execution. (CVE-2021-21103, CVE-2021-21104, CVE-2021-21105)

Successful exploitation of the most severe of these vulnerabilities
could allow for arbitrary code execution. Depending on the privileges
associated with the user an attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than those who operate with administrative
user rights.

SYSTEM AFFECTED:
* Acrobat 2020 and Acrobat Reader 2020 versions prior to 2020.001.30025
* Acrobat 2017 and Acrobat Reader 2017 versions prior to 2017.011.30196
* Adobe Animate versions prior to 21.06
* Adobe Experience Manager versions prior to 6.4.8.4 and 6.5.8.0
* Adobe InCopy versions prior to 16.2.1
* Adobe InDesign versions prior to 16.2.1
* Adobe Illustrator versions prior to 25.2.3

RECOMMENDATIONS:
We recommend the following actions be taken:

* Install the updates provided by Adobe immediately after appropriate
testing.
* Run all software as a non-privileged user (one without administrative
privileges) to diminish the effects of a successful attack.
* Remind users not to visit un-trusted websites or follow links provided
by unknown or un-trusted sources.
* Inform and educate users regarding the threats posed by hypertext
links contained in emails or attachments especially from un-trusted sources.
* Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
https://helpx.adobe.com/security.html
https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
https://helpx.adobe.com/security/products/animate/apsb21-35.html
*
https://helpx.adobe.com/security/products/experience-manager/apsb21-15.html
https://helpx.adobe.com/security/products/incopy/apsb21-25.html
https://helpx.adobe.com/security/products/indesign/apsb21-22.html
https://helpx.adobe.com/security/products/illustrator/apsb21-24.html

Share