The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the active exploitation of two vulnerabilities. CISA added the vulnerabilities to its Known Exploited Vulnerabilities Catalog on Tuesday. CISA has recommended that users apply the vendor-released patches before October 31, 2023, to secure their networks against potential threats.
The two vulnerabilities added by CISA are:
- CVE-2023-21608
- CVE-2023-20109
CVE-2023-21608: Adobe Acrobat and Reader Arbitrary Code Execution Vulnerability
CVE-2023-21608 has been given a critical severity rating and a CVSS score of 7.8. This is a use-after-free vulnerability that may lead to arbitrary code execution. Adobe has patched the vulnerability in January 2023. Security Researchers released the proof-of-concept (PoC) exploit for the vulnerability in the same month.
CVE-2023-20109: Cisco Internetwork Operating System (IOS) and IOS XE Software Out-of-Bounds Write Vulnerability
CVE-2023-20109 exists in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software. The vulnerability arises due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature.
The vulnerability can be exploited by
- Compromising an installed key server
OR
- Modifying the configuration of a group member to point to a key server controlled by the attacker
Successful exploitation of the vulnerability could allow an authenticated, remote attacker to execute arbitrary code and gain complete control of the affected system. An attacker may also cause the affected system to reload, resulting in a denial of service (DoS) condition.
Affected Products and Versions
CVE-2023-21608
- Acrobat DC – 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
- Acrobat Reader DC – 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
- Acrobat 2020 – 20.005.30418 and earlier versions
- Acrobat Reader 2020 – 20.005.30418 and earlier versions
CVE-2023-20109
The advisory states, “This vulnerability affected Cisco products if they were running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software and had the GDOI or G-IKEv2 protocol enabled.”
Mitigation
CVE-2023-21608
- Acrobat DC – 22.003.20310
- Acrobat Reader DC – 22.003.20310
- Acrobat 2020 – 20.005.30436
- Acrobat Reader 2020 – 20.005.30436
For more information, please refer to the Adobe Security Advisory (APSB23-01).
CVE-2023-20109
Cisco has mentioned steps to patch the vulnerability. Please refer to the Cisco Security Advisory (cisco-sa-getvpn-rce-g8qR68sx) for more information.
Qualys Detection
Qualys customers can scan their devices with QIDs 317372 and 377887 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://helpx.adobe.com//security/products/acrobat/apsb23-01.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx