Beware: CISA Warns of Rising Threat from Adobe Acrobat Vulnerability

Vulnerabilities Exploiting Adobe Acrobat Vulnerability Added to CISA Catalog

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added five new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including an exploit targeting an Adobe Acrobat and Reader flaw discovered earlier this year. The vulnerability, identified as CVE-2023-21608, is a use-after-free vulnerability that allows for remote code execution with the privileges of the current user. While Adobe had released patches for this flaw in January, proof-of-concept exploits and technical write-ups have since been published, creating opportunities for threat actors to launch attacks.

Exploiting the Vulnerabilities

Although there are no reported instances of in-the-wild exploitation of CVE-2023-21608, CISA states that CVEs are only added to the KEV catalog when there is solid evidence of exploitation. Additionally, CISA has also added CVE-2023-20109, an out-of-bounds write flaw in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS and IOS XE, to the KEV catalog. This vulnerability also leads to remote code execution and was observed being targeted by exploitation attempts.

In addition to these two vulnerabilities, CISA has added two zero-days impacting Microsoft applications – Skype for Business (CVE-2023-41763) and WordPad (CVE-2023-36563) – to the KEV catalog. Details of these observed attacks have not been provided by Microsoft or CISA. Lastly, a zero-day in the HTTP/2 protocol, known as HTTP/2 Rapid Reset, has also been added to the catalog. This vulnerability has been exploited in some of the largest distributed denial-of-service (DDoS) attacks to date.

Implications for Organizations

CISA emphasizes that these vulnerabilities are frequently targeted by malicious cyber actors and pose significant risks to organizations, particularly in the federal enterprise. To address these risks, CISA has issued the Binding Operational Directive (BOD) 22-01, which gives federal agencies 21 days to identify vulnerable products within their networks and apply patches and mitigations. While BOD 22-01 only applies to federal agencies, CISA encourages all organizations to review the KEV catalog and prioritize the remediation of these security defects. If patches or mitigations are not available, organizations should consider discontinuing the use of these vulnerable products.

Editorial: Strengthening Cybersecurity

The addition of these vulnerabilities to the KEV catalog highlights the ongoing challenges organizations face in ensuring robust cybersecurity. The fact that proof-of-concept exploits and technical write-ups have been published for the Adobe Acrobat and Reader flaw underscores the need for timely patching and proactive vulnerability management.

It is concerning that the HTTP/2 protocol vulnerability has been exploited in large-scale DDoS attacks. This further emphasizes the importance of organizations implementing strong security measures to prevent their servers and applications from being used as tools for malicious activities. As technology evolves and new vulnerabilities are discovered, it becomes imperative for organizations to stay vigilant, regularly update their security measures, and prioritize cybersecurity within their operations.

Advice for Organizations

Given the seriousness of these vulnerabilities, organizations should take immediate action to secure their systems. To mitigate the risks associated with the Adobe Acrobat and Reader flaw, it is crucial to apply the patches released by Adobe in January. Similarly, for the vulnerabilities impacting Cisco IOS and IOS XE, organizations should ensure that the applicable patches have been installed.

For the zero-day vulnerabilities impacting Microsoft applications, it is important to closely monitor for any updates or security advisories from Microsoft and apply the patches as soon as they are released. Additionally, organizations can consider implementing network security measures to mitigate the risks associated with the HTTP/2 protocol vulnerability.

Conducting regular vulnerability scans and patch management reviews is essential to maintaining a strong cybersecurity posture. Organizations should also consider investing in threat intelligence and security awareness training for employees to enhance their ability to identify and respond to emerging threats. Ultimately, prioritizing cybersecurity is a key aspect of protecting sensitive information, safeguarding operations, and maintaining trust in the digital landscape.