Overview
Adobe has released new updates across several of its products, including Adobe FrameMaker, Adobe Substance 3D Printer, Adobe Commerce and Magento Open Source, Adobe Dimension, Adobe Animate, Adobe Lightroom, Adobe InCopy, Adobe InDesign, and Adobe Substance 3D Stager. The primary reason for these updates is the swarm of vulnerabilities across Adobe products, as covered by the Cybersecurity and Infrastructure Security Agency (CISA), as these updates address critical vulnerabilities that could allow malicious actors to execute arbitrary codes on affected systems. Although Adobe has stated that it is not aware of any exploits in the wild targeting these vulnerabilities, the potential risks necessitate immediate action from users to secure their installations.
The vulnerabilities identified impact various versions of Adobe products, specifically those running on Windows platforms. For Adobe FrameMaker, the affected versions include FrameMaker 2020 Release: Update 6 and earlier, as well as FrameMaker 2022 Release: Update 4 and earlier. Adobe Substance 3D Printer is also affected, with versions 1.0.3 and earlier being vulnerable.
Additionally, Adobe Commerce and Magento Open Source have vulnerabilities in Magento Open Source 2.4.6-p1 and earlier, as well as Magento Open Source 2.4.5-p2 and earlier. For Adobe Dimension, versions 3.4.2 and earlier are impacted. Adobe Animate has vulnerabilities in version 23.0.0 and earlier, while Adobe Lightroom users should be aware that Lightroom Classic 12.3 and earlier are also affected. Furthermore, Adobe InCopy and Adobe InDesign have vulnerabilities in their 2023 Release: Update 4 and earlier versions. Finally, Adobe Substance 3D Stager users should note that version 2.2 and earlier are at risk.
Adobe has classified these updates with a priority rating of 3, highlighting the need for users to take action. For mitigation against potential attacks, users are encouraged to update their installations to the latest versions. For Adobe FrameMaker, users should upgrade to FrameMaker 2020 Update 7 or FrameMaker 2022 Update 5. The recommended version for Adobe Substance 3D Printer is 1.0.4 or later. Users of Adobe Commerce and Magento Open Source should update to Magento Open Source 2.4.6-p2 or later.
For those using Adobe Dimension, the update to version 3.4.3 or later is recommended. Adobe Animate users should upgrade to version 23.0.1 or later. Adobe Lightroom Classic users need to move to version 12.4 or later. InCopy users should update to the 2023 Release: Update 5, and InDesign users are advised to upgrade to the 2023 Release: Update 5 as well. Finally, for Adobe Substance 3D Stager, users should update to version 2.3 or later.
Vulnerability Details and Acknowledgments
In Adobe FrameMaker, the first vulnerability is categorized as an Out-of-Bounds Read (CWE-125), which could lead to arbitrary code execution. This vulnerability has been assigned a critical severity rating with a CVSS base score of 7.8, identified as CVE-2024-47421. Another critical issue is the Untrusted Search Path vulnerability (CWE-426), which also allows for arbitrary code execution and sharing the same CVSS base score and severity, noted as CVE-2024-47422.
The third vulnerability involves the Unrestricted Upload of Files with Dangerous Type (CWE-434), which again could allow for arbitrary code execution, rated as critical with a CVSS base score of 7.8 (CVE-2024-47423). Another critical risk is associated with Integer Overflow or Wraparound (CWE-190), which can also lead to arbitrary code execution, rated with the same CVSS score (CVE-2024-47424). Lastly, Integer Underflow (Wrap or Wraparound) (CWE-191) is another critical vulnerability allowing arbitrary code execution, also carrying a CVSS base score of 7.8 (CVE-2024-47425).
The presence of these vulnerabilities across widely used Adobe products poses risks for users. Arbitrary code execution could allow attackers to gain control of affected systems, leading to unauthorized access to sensitive data, data breaches, or other forms of exploitation. Prompt updates to the latest software versions are essential in protecting user systems from such threats.
Adobe has expressed gratitude to the security researchers and organizations that have collaborated to identify and analyze these vulnerabilities. The individuals who have been instrumental in reporting the relevant issues include yjdfy, who reported CVE-2024-47424 and CVE-2024-47425; Sidhu (someonealt-86), who reported CVE-2024-47423; jony_juice, who reported CVE-2024-47422; and Francis Provencher (prl), who reported CVE-2024-47421.
Conclusion
The vulnerabilities addressed in the recent updates highlight the collective effort required to create a more secure environment. By remaining vigilant and proactive in applying updates and adhering to best practices, users can contribute to protecting their systems and data from online threats.
Recommendations and Mitigations
To mitigate against these vulnerabilities, Cyble recommends these recommendations and mitigation strategies:
- Regularly monitor security bulletins and subscribe to newsletters for timely information on vulnerabilities and updates.
- Promptly applying patches can mitigate risks associated with known vulnerabilities.
- Users are encouraged to engage with manufacturers for clarification on updates and security measures.
- Organizations utilizing Adobe products should educate employees about cybersecurity best practices.
- Continuously monitor systems for unusual activity to identify potential exploits before they escalate.
- Implement additional security measures, such as firewalls and antivirus software, to further safeguard sensitive information.
