September Vuln of the Month: CVE-2021-28640
Share with Your Network
September’s Vuln of the Month is a vulnerability involving a favorite target of hackers: Adobe Reader software.
So on this Exploit Wednesday, we’re spotlighting CVE-2021-28640, a Use After Free vulnerability affecting all known versions of Acrobat Reader DC. Our research shows that CVE-2021-28640 meets many of the criteria we look for to be widely exploited, including:
- Access complexity: Low
- Potential attack surface: Massive
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Partial
- Exploit code published: No
- Active exploits observed: Yes
The Kenna Risk Score for CVE-2021-28640 is 82. Just 1.3% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score. That’s certainly critical in our book. This contrasts with CVSS 3.1, which assigns this CVE a “High” score of 7.3 (only CVSS scores of 9 or above are labeled “Critical”), and CVSS 2,0, which gives it a “Medium” score of 6.0. The reason for this disparity is, as always, that Kenna Risk Scores incorporate far more contextual information and analysis, aided by data science and machine learning, to provide a more complete and accurate prediction of the relative risk a vulnerability poses to an organization.
Why CVE-2021-28640 matters
In the digital space, it’s hard to find a more ubiquitous file format than PDFs. More than 300 billion PDFs were opened by Adobe products last year. And although Adobe doesn’t break down that figure by application, it’s a safe bet that the free Adobe Reader DC opened most of them, though it’s important to note that even some paid Adobe Acrobat versions are also affected.
That’s what makes Adobe Reader such a popular target, and it’s why CVE-2021-28640 is a CVE of particular interest. This vulnerability earned such a high Kenna Risk Score because its attributes warrant it: All attackers have to do is get an unsuspecting user to open a malicious PDF file (and recent research reveals that’s not very difficult), and they can remotely execute arbitrary code from there. CVE-2021-28640 has already been successfully exploited in the wild.
And as is always the challenge with end-user applications, successful remediation requires prompt action by users themselves.
Bottom line
CVE-2021-28640 should be at the top of your fix list. The attack surface is massive, hackers can easily gain the ability to execute remote code, bad actors are already exploiting this vuln in the wild, and enterprise Security managers will need to force an update ASAP for all users of affected Adobe Reader and Acrobat products.
Mitigation status
On July 13, Adobe issued an update for Windows and MacOS versions of Adobe Acrobat and Reader. The update patches not just CVE-2021-28640, but a host of other vulnerabilities.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.