CISA Added Adobe and Cisco vulnerabilities to its Known Exploited Vulnerabilities Catalog (CVE-2023-21608 & CVE-2023-20109)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the active exploitation of two vulnerabilities. CISA added the vulnerabilities to its Known Exploited Vulnerabilities Catalog on Tuesday. CISA has recommended that users apply the vendor-released patches before October 31, 2023, to secure their networks against potential threats.

The two vulnerabilities added by CISA are:

  • CVE-2023-21608
  • CVE-2023-20109

CVE-2023-21608: Adobe Acrobat and Reader Arbitrary Code Execution Vulnerability

CVE-2023-21608 has been given a critical severity rating and a CVSS score of 7.8. This is a use-after-free vulnerability that may lead to arbitrary code execution. Adobe has patched the vulnerability in January 2023. Security Researchers released the proof-of-concept (PoC) exploit for the vulnerability in the same month.

CVE-2023-20109: Cisco Internetwork Operating System (IOS) and IOS XE Software Out-of-Bounds Write Vulnerability

CVE-2023-20109 exists in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software. The vulnerability arises due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature.

The vulnerability can be exploited by

  • Compromising an installed key server

OR

  • Modifying the configuration of a group member to point to a key server controlled by the attacker

Successful exploitation of the vulnerability could allow an authenticated, remote attacker to execute arbitrary code and gain complete control of the affected system. An attacker may also cause the affected system to reload, resulting in a denial of service (DoS) condition.

Affected Products and Versions 

CVE-2023-21608

  • Acrobat DC – 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
  • Acrobat Reader DC – 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
  • Acrobat 2020 – 20.005.30418 and earlier versions
  • Acrobat Reader 2020 – 20.005.30418 and earlier versions

CVE-2023-20109

The advisory states, “This vulnerability affected Cisco products if they were running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software and had the GDOI or G-IKEv2 protocol enabled.”

Mitigation

CVE-2023-21608

  • Acrobat DC – 22.003.20310
  • Acrobat Reader DC – 22.003.20310
  • Acrobat 2020 – 20.005.30436
  • Acrobat Reader 2020 – 20.005.30436

For more information, please refer to the Adobe Security Advisory (APSB23-01).

CVE-2023-20109

Cisco has mentioned steps to patch the vulnerability. Please refer to the Cisco Security Advisory (cisco-sa-getvpn-rce-g8qR68sx) for more information.

Qualys Detection

Qualys customers can scan their devices with QIDs 317372 and 377887 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://helpx.adobe.com//security/products/acrobat/apsb23-01.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx

Leave a Reply

Your email address will not be published. Required fields are marked *