Think you have a false positive on this rule?

Sid 1-42311

Message

FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt

Summary

This event is generated when an attacker attempts to exploit a malformed JP2K codestream out of bounds read vulnerability.

Impact

Attempted User Privilege Gain

CVE-2017-3023:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

CVE-2017-3032:

CVSS base score 3.3

CVSS impact score 1.4

CVSS exploitability score 1.8

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

CVE-2017-3044:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

CVE-2017-3046:

CVSS base score 5.5

CVSS impact score 3.6

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-8728:

CVSS base score 7.5

CVSS impact score 5.9

CVSS exploitability score 1.6

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

CVE-2017-8737:

CVSS base score 7.5

CVSS impact score 5.9

CVSS exploitability score 1.6

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2017-3023: Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and earlier, 15.023.20070 and earlier have an exploitable memory corruption vulnerability in the JPEG 2000 code-stream tile functionality. Successful exploitation could lead to arbitrary code execution.

CVE-2017-3032: Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and earlier, 15.023.20070 and earlier have a memory address leak vulnerability in the JPEG 2000 code-stream parser.

CVE-2017-3044: Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and earlier, 15.023.20070 and earlier have an exploitable memory corruption vulnerability in the JPEG 2000 engine, related to image scaling. Successful exploitation could lead to arbitrary code execution.

CVE-2017-3046: Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and earlier, 15.023.20070 and earlier have a memory address leak vulnerability in the JPEG 2000 parser, related to contiguous code-stream parsing.

CVE-2017-8728: Microsoft Windows PDF Library in Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to the way that Windows PDF Library handles objects in memory, aka "Windows PDF Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-8737.

CVE-2017-8737: Microsoft Windows PDF Library in Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to the way that Windows PDF Library handles objects in memory, aka "Windows PDF Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-8728.

Affected systems

  • adobe acrobat 11.0.19
  • adobe acrobat_dc 15.006.30280
  • adobe acrobat_dc 15.023.20070
  • adobe acrobatreaderdc 15.006.30280
  • adobe acrobatreaderdc 15.023.20070
  • adobe reader 11.0.19
  • microsoft edge *
  • microsoft windows_8.1 *
  • microsoft windowsrt8.1 *
  • microsoft windowsserver2008 *
  • microsoft windowsserver2008 r2
  • microsoft windowsserver2012 -
  • microsoft windowsserver2012 r2

Ease of attack

CVE-2017-3023:

Access Vector

Access Complexity

Authentication

CVE-2017-3032:

Access Vector

Access Complexity

Authentication

CVE-2017-3044:

Access Vector

Access Complexity

Authentication

CVE-2017-3046:

Access Vector

Access Complexity

Authentication

CVE-2017-8728:

Access Vector

Access Complexity

Authentication

CVE-2017-8737:

Access Vector

Access Complexity

Authentication

False positives

None Known

False negatives

None Known

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • helpx.adobe.com/security/products/acrobat/apsb17-11.html
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8737
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8464