PDF24 Creator versions 11.15.1 and below suffer from a local privilege escalation vulnerability via the MSI installer.

SEC Consult Vulnerability Lab Security Advisory < 20231211-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: PDF24 Creator (geek Software GmbH)  
  vulnerable version: <=11.15.1  
       fixed version: 11.15.2  
          CVE number: CVE-2023-49147  
              impact: High  
            homepage: https://tools.pdf24.org/en/creator/  
               found: 2023-10-16  
                  by: Lukas Donaubauer (Office Munich)  
                      Mario Keck (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"pdf24.org is a project of geek software GmbH, a German company based in Berlin,  
that was founded in 2006. PDF24 offers free and easy to use PDF solutions for  
many PDF problems, online and as software for download. Solutions include the  
well-known PDF24 Creator and PDF24 Online Tools."

Source: https://www.pdf24.org/en/about-us

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
The configuration of the PDF24 Creator MSI installer file was found to  
produce a visible cmd.exe window running as the SYSTEM user when using  
the repair function of msiexec.exe. This allows a local attacker to use  
a chain of actions, to open a fully functional cmd.exe with the privileges  
of the SYSTEM user.

Note: This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set to the default browser.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-49147)  
For the exploit to work, the PDF24 Creator has to be installed via the MSI file.  
Afterwards, any low-privileged user can run the following command to start the  
repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup:

msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi

At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets  
called with SYSTEM privileges and performs a write action on the file  
"C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply  
setting an oplock on the file as soon as it gets read. To do that, one can use the  
'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe  
is executed doesn't close. The attacker can then perform the following actions to  
spawn a SYSTEM shell:  
- right click on the top bar of the cmd window  
- click on properties  
- under options click on the "Legacyconsolemode" link  
- open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11)  
- in the opened browser window press the key combination CTRL+o  
- type cmd.exe in the top bar and press Enter

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 11.14.0 (pdf24-creator-11.14.0-x64.msi)  
* 11.15.1 (pdf24-creator-11.15.1-x64.msi)

A new version was released during our contact attempts (v11.15.1) which is  
also affected by the vulnerability.

The tests were conducted on an up to date Windows 10 system.

Vendor contact timeline:  
------------------------  
2023-10-20: Contacting vendor through team@pdf24.org; no response.  
2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org  
             No response.  
2023-11-17: Requesting CVE number  
2023-11-23: Received CVE number  
2023-11-27: Sending vendor CVE number and setting preliminary deadline for  
             advisory release (11th December)  
2023-11-27: Identified that latest version 11.15.1 is also vulnerable.  
2023-11-28: Vendor response, seems our emails ended up in spam.  
             Sending advisory unencrypted upon vendor request.  
2023-12-04: Asking for a status update. Further questions from vendor.  
             Providing more details, clarification regarding Windows 11, browser  
             usage and recommendation for fix.  
2023-12-08: Vendor releases fixed version 11.15.2.  
2023-12-11: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version 11.15.2 which can be downloaded from the  
vendor's website:

https://tools.pdf24.org/en/creator

Also check out the changelog from the vendor for further information:  
https://creator.pdf24.org/changelog/en.html

Workaround:  
-----------  
Use the available EXE installer.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF L. Donaubauer, M. Keck / @2023

PDF24 Creator 11.15.1 Local Privilege Escalation

One Identity Password Manager versions prior to 5.13.1 suffer from a kiosk escape privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20231206-0 >  
=======================================================================  
               title: Kiosk Escape Privilege Escalation  
             product: One Identity Password Manager Secure Password Extension  
  vulnerable version: <5.13.1  
       fixed version: 5.13.1  
          CVE number: CVE-2023-48654  
              impact: critical  
            homepage: https://www.oneidentity.com/products/password-manager/  
               found: 2023-10-09  
                  by: Stefan Schweighofer (Office Vienna)  
                      Constantin Schieber-Knöbl (Office Vienna)  
                      Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"One Identity delivers solutions that help customers strengthen operational  
efficiency, reduce risk surface, control costs and enhance their  
cybersecurity. Our Unified Identity Platform brings together best-in-class  
software to enable organizations to shift from a fragmented identity strategy  
to a holistic approach."

Source: https://www.oneidentity.com/company/

Business recommendation:  
------------------------  
The vendor provides a patch version 5.13.1 which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
The Password Manager Application by One Identity enables users to reset  
their Active Directory passwords on the login screen of a Windows client, with  
the Secure Password Extension. The Secure Password Manager Extension launches a  
Chromium based browser in Kiosk mode to provide the reset functionality.

Due to application-specific functionalities the Password Manager Extension  
suffers from two exploitable Kiosk Escape vulnerabilities which allow a local,  
pre-authenticated attacker to escalate the privileges to SYSTEM.

1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
The Password Manager Extension uses Google ReCAPTCHA, which enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.  
This is possible due to the fact that Google ReCAPTCHA links to external  
websites, which open in a new browser window and enable an attacker to  
navigate to other external websites.

2) Password Manager Kiosk Escape after Session Timeout  
The Password Manager application provides a link to a help page of  
One Identity. This link references an external site and is therefore hidden  
in the Kiosk Mode browser of the Password Manager Extension. If the Password  
Manager Extension website is loaded after an active session expires the  
link to the external One Identity websites gets shown. This enables an  
attacker to escape the Kiosk Mode of the browser and gain  
"nt authority\system" permissions on the login screen of the targeted machine.

Proof of concept:  
-----------------  
1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654)  
An attacker requires access to a locked machine, where the Password Manger  
Extension is installed, either via physical (pre-auth) or remote (RDP) access.  
 From the login screen the Password Manger Extension Kiosk mode browser can  
be launched.

Since Google ReCAPTCHA is used on the Password Manger website the Google  
ReCAPTCHA icon is also shown on the website and provides a link to an  
external website via the "Privacy" button of the Google ReCAPTCHA field.

2) Password Manager Kiosk Escape after Session Timeout  
An attacker requires access to a username to login to either the Password Manager  
website or a logged in user, which leaves the session open until the session  
expires. Since the Password Manager uses Active Directory credentials, the  
username from the Windows login screen can be used to log into the website.  
For this attack the session of a logged-in user has to expire.

After the session expiration the Password Manager website gets reloaded and displays  
a help icon that is usually hidden. The help icon links to the external  
One Identity website., from witch it is possible to navigate to the Google Search  
website using the Sign In option of the One Identity website. The Sign In page  
has the option to login with a Facebook account and information about cookies  
is displayed on this page, which links to a Google Chrome website.

For both vulnerability 1 and 2, an attacker can use the Google Search website and  
trigger the "search by image" feature. This "search by image" feature can be used  
to trigger an upload, which then opens a file explorer window for file selection.

The file explorer window makes it possible to input "cmd" in the path field  
of the file explorer to open a command prompt. The created command prompt  
is executed with highest "nt authority\system" permissions.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 5.13

It is assumed that all previous versions are affected as well.

Vendor contact timeline:  
------------------------  
2023-11-06: Contacting vendor through vendor security contact form  
             https://support.oneidentity.com/de-de/essentials/reporting-security-vulnerability  
2023-11-07: Vendor is able to reproduce both escapes, internal discussion with  
             product team needed.  
2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities  
             and will release an update soon. Asking for CVE numbers.  
2023-11-15: Vendor will not assign CVE numbers, we are going to request them.  
             Patch release scheduled for 17th or the week after.  
2023-11-17: Receiving one CVE number from MITRE, asking about the second one;  
             No response.  
2023-11-20: Asking for status update as no patch was released on 17th.  
2023-11-21: Patch was postponed to 1st December, setting our release date to  
             6th December.  
2023-12-01: Vendor releases fixed version v5.13.1.  
2023-12-06: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides a patch which can be downloaded from  
https://support.oneidentity.com/password-manager/5.13.1

The release notes of the vendor can be found here:  
https://support.oneidentity.com/technical-documents/password-manager/5.13.1/release-notes/

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023

One Identity Password Manager Kiosk Escape Privilege Escalation

Anveo Mobile application version 10.0.0.359 and server version 11.0.0.5 suffer from missing certificate validation and user enumeration vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20231128-0 >  
=======================================================================  
               title: Missing Certificate Validation & User Enumeration  
             product: Anveo Mobile App and Server  
  vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5  
       fixed version: -  
          CVE number: -  
              impact: Medium  
            homepage: https://www.anveogroup.com/en/mobile-apps-for-dynamics/  
               found: 2023-05-28  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Create your own individual Mobile App with Anveo. Our base, out of the box  
solutions offer many useful functions, and can be flexibly adapted to your  
requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App.  
You are looking for a mobile App for a different scenario? Not a problem with  
the Anveo Mobile App Builder! Thanks to the toolkit character of the solution,  
configuration of a completely new, custom App is simple."

Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/

Business recommendation:  
------------------------  
The vendor was unresponsive and did not reply to our communication attempts and even  
deleted our comment to request a contact on LinkedIn, see the timeline section further  
below.

There is no solution known to us for this security issue. In case you are a customer  
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Missing Certificate Validation  
The Windows application was tested which does not perform certificate validation  
and is therefore vulnerable to man-in-the-middle attacks which might allow an  
attacker to gain access to sensitive data.

2) User Enumeration  
The login is vulnerable to user enumeration because the error message for a  
non-existent user differs from the error message when a user exists. This allows  
an attacker to perform targeted brute-force attacks and potentially take over  
other user accounts.

Proof of concept:  
-----------------  
1) Missing Certificate Validation  
The application does not validate the server certificate. To verify this,  
a new self-signed certificate was created with the openssl commandline tool.

Afterwards, an openssl server was spawned with netcat:

[ POC removed]

When adding a new account in the application with the IP and port of this server,  
a connection is attempted. Now a special string has to be sent from the netcat  
listener to the client.

As a response, the client tries to authenticate against the server with the  
username and password:

<img certificate_validation.png>

The part between <EOS> and <EOSC> can be base64-decoded and decompressed with  
zlib which yields the following output:

[ POC removed ]

The "PW" Parameter contains the base64-encoded password, in this case "unknown".

2) User Enumeration  
When a non-existent user tries to login, the error message shows "Cannot find  
user":

<img user_nonexistent.png>

When a valid username but a wrong password is submitted, the server responds  
with "Username or password is not correct":

<img user_exists.png>

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested)

The vendor did not respond to our communication attempts, hence it is unknown whether  
further versions are affected as well.

Vendor contact timeline:  
------------------------  
2023-06-12: Contacting vendor through email info@AnveoGroup.com  
             Asking for security contact, no response  
2023-06-26: Contacting vendor through same email again, no response.  
2023-07-24: Contacting vendor through technical support email support@AnveoGroup.com  
             Asking for security contact again, no response.  
2023-09-15: Contacting vendor again through info@AnveoGroup.com, support@AnveoGroup.com  
             and datenschutz@AnveoGroup.com. Ticket got automatically created, but no  
             response.  
2023-09-19: Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a  
             few profile views from employees (Team Lead Anveo Mobile App, Social Media  
             Marketing, CEO) no response.  
             Our comment then got deleted by Anveo Group.  
             Comment:  
             "Hi Anveo Group, we have been trying to reach your company since June through  
             our responsible disclosure process as we have identified some security  
             issues in your products. We never received any response via multiple email  
             addresses (found on your website). Could you please get in touch with us and  
             provide us with a person responsible for security? Thank you!"  
2023-09-20: Contacting third party whether they received a patch; no response.  
2023-10-09: Contacting again; no response.  
2023-10-23: Contacting again; no response.  
2023-11-17: Final attempt, asked third party for info again, tried to contact  
             "support@anveogroup.com" through ticket again. No response from vendor, but  
             third party replied, that they also did not receive any response from Anveo.  
2023-11-28: Public release of security advisory.

Solution:  
---------  
The vendor was unresponsive and did not reply to our communication attempts and even  
deleted our comment to request a contact on LinkedIn, see the timeline section.

There is no solution known to us for this security issue. In case you are a customer  
of Anveo, request an update from them about the issue.

Furthermore, an in-depth security analysis performed by security professionals is  
highly advised, as the software may be affected from other security issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023

Anveo Mobile User Enumeration / Missing Certificate Validation

Adobe After Effects versions 24.0.3 (and earlier) and 23.6.0 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe After Effects | APSB23-75

Bulletin ID

Date Published

Priority

ASPB23-75  

December 12, 2023    

3

**Summary**

Adobe has released an update for Adobe After Effects for Windows and macOS.  This update addresses  critical and moderate security vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak in the context of the current user.         

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe After Effects

24.0.3 and earlier versions     

Windows and macOS

Adobe After Effects  

23.6.0 and earlier versions       

Windows and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

Availability

Adobe After Effects

24.1  

Windows and macOS

3

Download Center

Adobe After Effects  

23.6.2

Windows and macOS

3

Download Center  

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-48632  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-48633  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-48634  

Out-of-bounds Read (CWE-125)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-48635  

**Acknowledgements**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative  - CVE-2023-48632, CVE-2023-48633, CVE-2023-48634, CVE-2023-48635  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-48632: Adobe Security Bulletin

Adobe Substance 3D Stager versions 2.1.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Substance 3D Stager | APSB23-73

Bulletin ID

Date Published

Priority

APSB23-73

December 12, 2023

3

**Summary**

Adobe has released an update for Adobe Substance 3D Stager.  This update addresses important vulnerabilities in Adobe Substance 3D Stager. Successful exploitation could lead to memory leak in the context of the current user.    

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Substance 3D Stager  

2.1.1 and earlier versions   

Windows and macOS   

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.     

Product

Version

Platform

Priority

Availability

Adobe Substance 3D Stager  

2.1.3

Windows and macOS   

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-47080  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-47081  

**Acknowledgments:**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: 

*   anonymous - CVE-2023-47080, CVE-2023-47081

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-47080: Adobe Security Bulletin

StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace.

CVE-2023-34194: TinyXML / Git

Adobe Dimension versions 3.4.10 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Dimension | APSB23-71

Bulletin ID

Date Published

Priority

APSB23-71

December 12, 2023

3

**Summary**

Adobe has released an update for Adobe Dimension. This update addresses important and moderate vulnerabilities in Adobe Dimension.  Successful exploitation could lead to memory leak in the context of the current user.      

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Dimension  

3.4.10 and earlier versions   

Windows and macOS   

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.     

Product

Version

Platform

Priority

Availability

Adobe Dimension  

3.4.11

Windows and macOS   

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

CVSS vector  

CVE number(s)  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-47078  

Out-of-bounds Read (CWE-125)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47079  

Out-of-bounds Read (CWE-125)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47061  

Out-of-bounds Read (CWE-125)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N  

CVE-2023-47062  

**Acknowledgments:**

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-47078, CVE-2023-47079, CVE-2023-47061, CVE-2023-47062  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-47079: Adobe Security Bulletin

Adobe Prelude versions 22.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Prelude | APSB23-67

Bulletin ID

Date Published

Priority

APSB23-67  

 December 12, 2023    

3

**Summary**

Adobe has released an update for Adobe Prelude for Windows and macOS. This update addressed a moderate vulnerability.  Successful exploitation could lead to memory leak.  

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Prelude 

22.6  and earlier versions       

Windows

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority Rating

Availability

Adobe Prelude 

22.6.1

Windows and macOS

3

Download Center

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**    

**CVSS vector**   

CVE Numbers

Access of Uninitialized Pointer (CWE-824)  

Memory leak

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2023-44362  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2023-44362  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-44362: Adobe Security Bulletin

Malware analysis encompasses a broad range of activities, including examining the malware's network traffic. To be effective at it, it's crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you'll need to address them.
Decrypting HTTPS traffic
Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure

Malware analysis encompasses a broad range of activities, including examining the malware's network traffic. To be effective at it, it's crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you'll need to address them.

**Decrypting HTTPS traffic**

Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to conceal their malicious activities. By cloaking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrating sensitive data, installing additional payloads, and receiving instructions from the operators.

Yet, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use a man-in-the-middle (MITM) proxy. The MITM proxy works as an intermediary between the client and the server, intercepting their communication.

The MITM proxy aids analysts in real-time monitoring of the malware's network traffic, providing them with a clear view of its activities. Among other things, analysts can access content of request and response packets, IPs, and URLs to view the details of the malware's communication and identify stolen data. The tool is particularly useful for extracting SSL keys used by the malware.

**Use case**

Information about AxileStealer provided by the ANY.RUN sandbox

In this example, the initial file, 237.06 KB in size, drops AxilStealer's executable file, 129.54 KB in size. As a typical stealer, it gains access to passwords stored in web browsers and begins to transfer them to attackers via a Telegram messenger connection.

The malicious activity is indicated by the rule "STEALER \[ANY.RUN\] Attempt to exfiltrate via Telegram". Thanks to the MITM proxy feature, the malware's traffic is decrypted, revealing more details about the incident.

Malware Analysis

Use a MITM proxy and dozens of other advanced features for in-depth malware analysis in the ANY.RUN sandbox.

Request a free trial

**Discovering malware's family**

Malware family identification is a crucial part of any cyber investigation. Yara and Suricata rules are commonly used tools for this task, but their effectiveness may be limited when dealing with malware samples whose servers are no longer active.

FakeNET offers a solution to this challenge by creating a fake server connection that responds to malware requests. Tricking the malware to send a request triggers a Suricata or YARA rule, which accurately identifies the malware family.

**Use case**

Inactive servers detected by the ANY.RUN sandbox

When analyzing this sample, the sandbox points to the fact that the malware's servers are unresponsive.

Smoke Loader malware identified using FakeNET

Yet, after enabling the FakeNET feature, the malicious software instantly sends a request to a fake server, triggering the network rule that identifies it as Smoke Loader.

**Catching geo-targeted and evasive malware**

Many attacks and phishing campaigns focus on specific geographic regions or countries. Subsequently, they incorporate mechanisms like IP geolocation, language detection, or website blocking which may limit analysts' ability to detect them.

Alongside geo-targeting, malware operators may leverage techniques to evade analysis in sandbox environments. A common approach is to verify whether the system is using a datacenter IP address. If confirmed, the malicious software stops execution.

To counter these obstacles, analysts use a residential proxy. This nifty tool works by switching the IP address of the analyst's device or virtual machine to ordinary users' residential IPs from different parts of the world.

This feature empowers professionals to bypass geo-restrictions by mimicking local users and study malicious activities without revealing their sandbox environment.

**Use case**

Smoke Loader malware identified using FakeNET

Here, Xworm instantly checks for a hosting IP address as soon as it is uploaded to a sandbox. Yet, since the VM has a residential proxy, the malware continues to execute and connects to its command-and-control server.

**Try all of these tools in ANY.RUN**

Setting up and using each of the aforementioned tools individually can take a lot of effort. To access and utilize all of them with ease, use the cloud-based ANY.RUN sandbox.

The key feature of the service is interactivity, allowing you to safely engage with malware and the infected system just like you would on your own computer.

You can explore these and numerous other features of ANY.RUN, including private space for your team, Windows 7, 8, 10, 11 VMs, and API integration completely for free.

Just use a 14-day trial, no strings attached.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How to Analyze Malware’s Network Traffic in A Sandbox

Adobe Illustrator versions 28.0 (and earlier) and 27.9 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Illustrator | APSB23-68

Bulletin ID

Date Published

Priority

APSB23-68

December 12,  2023    

3

**Summary**

Adobe has released an update for Adobe Illustrator. This update resolves critical vulnerabilities that could lead to arbitrary code execution.  

**Affected Versions**

**Product**

**Version**

**Platform**

Illustrator 2024  

28.0 and earlier versions   

Windows and macOS

Illustrator 2023  

27.9 and earlier versions  

Windows and macOS  

**Solution**

Adobe categorizes these updates with the following  priority ratings  and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Illustrator 2024   

28.1

Windows and macOS

3

Download Page

Illustrator 2023  

27.9.1  

Windows and macOS  

3

Download Page  

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47074  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47075  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-47063  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:     

*   Anonymous working with Trend Micro Zero Day Initiative  -- CVE-2023-47074, CVE-2023-47075  
    
*   anonymous - CVE-2023-47063  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

Tag

#windows