Vulnerabilities in Adobe Readed DC Software

Consolidated summary:

• ZDI-24-424 & ZDI-24-425: Both vulnerabilities, identified as CVE-2024-30305 and CVE-2024-30303 respectively, have a CVSS score of 7.8 and affect Adobe Acrobat Reader DC. They allow remote code execution due to improper handling of AcroForms. Users must interact with a malicious page or file to trigger the flaw.
• ZDI-24-427: Identified as CVE-2024-30306 with a CVSS score of 7.8, this vulnerability in Adobe Acrobat Reader DC allows remote code execution through an out-of-bounds read in AcroForms. User interaction is required.

• ZDI-24-426: With a lower CVSS score of 3.3, CVE-2024-30302 is an information disclosure vulnerability in Adobe Acrobat Reader DC, stemming from inadequate validation in AcroForm handling.
• ZDI-24-422: CVE-2024-30304, with a CVSS score of 7.8, allows remote code execution in Adobe Acrobat Reader DC due to a flaw in Annotation object handling. User interaction is necessary.
• ZDI-24-423: CVE-2024-30301, also with a CVSS score of 7.8, is a use-after-free vulnerability in Adobe Acrobat Reader DC’s AcroForm handling, leading to potential remote code execution.

More details about each vulnerability:

1. ZDI-24-424:
   • Vulnerability ID: ZDI-24-424
   • CVE ID: CVE-2024-30305
   • CVSS Score: 7.8
   • Affected Product: Adobe Acrobat Reader DC
   • Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. The flaw is within the handling of AcroForms, due to the lack of validating the existence of an object before operations. User interaction is required as the target must visit a malicious page or open a malicious file.
   • Mitigation: Adobe has issued an update to correct this vulnerability. Users are advised to update their software to mitigate potential risks.
2. ZDI-24-425:
   • Vulnerability ID: ZDI-24-425
   • CVE ID: CVE-2024-30303
   • CVSS Score: 7.8
   • Affected Product: Adobe Acrobat Reader DC
   • Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required, such as visiting a malicious page or opening a malicious file. The flaw is within the handling of AcroForms, due to the lack of validating the existence of an object before operations.
   • Mitigation: Adobe has issued an update to correct this vulnerability. It is crucial to update your software to protect against potential risks.
3. ZDI-24-427:
   • Vulnerability ID: ZDI-24-427
   • CVE ID: CVE-2024-30306
   • CVSS Score: 7.8, High Severity
   • Affected Product: Adobe Acrobat Reader DC
   • Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. It requires user interaction, as the target must visit a malicious page or open a malicious file. The flaw is within the handling of AcroForms, due to improper validation of user-supplied data, leading to an out-of-bounds read.
   • Mitigation: Adobe has released an update to correct this vulnerability. Users are advised to update their software to the latest version to protect against exploitation.
4. ZDI-24-426:
   • Vulnerability ID: ZDI-24-426
   • CVE ID: CVE-2024-30302
   • CVSS Score: 3.3, AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
   • Affected Product: Adobe Acrobat Reader DC
   • Details: This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. The flaw exists within the handling of AcroForms, due to the lack of validating the existence of an object prior to performing operations on it.
   • User Interaction: Required. The target must visit a malicious page or open a malicious file to exploit this vulnerability.
   • Disclosure Timeline: Reported to vendor on 2024-01-17, with a coordinated public release of the advisory on 2024-05-07.
   • Credit: Mark Vincent Yason
5. ZDI-24-422:
   • Vulnerability ID: ZDI-24-422
   • CVE ID: CVE-2024-30304
   • Severity: CVSS Score: 7.8, High Severity
   • Affected Product: Adobe Acrobat Reader DC
   • Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required, such as visiting a malicious page or opening a malicious file. The flaw is within the handling of Annotation objects, due to the lack of validating the existence of an object prior to operations.
   • Disclosure Timeline: Reported to vendor on January 17, 2024, with a coordinated public release of the advisory on May 7, 2024.
   • Credit: The vulnerability was reported by Mark Vincent Yason.
6. ZDI-24-423:
   • Vulnerability ID: ZDI-24-423,
   • CVE ID: CVE-2024-30301
   • Severity: CVSS score of 7.8; High severity with potential for remote code execution
   • Affected Product: Adobe Acrobat Reader DC
   • Issue Details: The vulnerability is a use-after-free flaw within AcroForm handling, allowing remote attackers to execute arbitrary code if a user opens a malicious file or visits a malicious page.
   • Resolution: Adobe has released an update to address this vulnerability. Users are advised to update their software.
   • For additional information and updates, users can visit Adobe’s official security page.

Please note that Adobe has issued updates to correct these vulnerabilities. It’s essential to keep your software up-to-date to mitigate potential risks.