CVE-2020-24428 – This CVE describes a time-of-check time-of-use ... (How to Fix)

Q: What is the severity of CVE-2020-24428?

CVE-2020-24428 has a CVSS score of 7.7 (HIGH). This CVE describes a time-of-check time-of-use (TOCTOU) race condition vulnerability in Adobe Acrobat Reader DC for macOS that allows local privilege escalation. An attacker could exploit this by tricking a user into opening a malicious file, potentially gaining elevated privileges on the affected system. Only macOS users running vulnerable versions of Acrobat Reader DC are affected.

📋 TL;DR

This CVE describes a time-of-check time-of-use (TOCTOU) race condition vulnerability in Adobe Acrobat Reader DC for macOS that allows local privilege escalation. An attacker could exploit this by tricking a user into opening a malicious file, potentially gaining elevated privileges on the affected system. Only macOS users running vulnerable versions of Acrobat Reader DC are affected.

💻 Affected Systems

Products:

Adobe Acrobat Reader DC

Versions: 2020.012.20048 and earlier, 2020.001.30005 and earlier, 2017.011.30175 and earlier

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS versions of Acrobat Reader DC. Requires user interaction to open a malicious file.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains root privileges on the macOS system, allowing complete system compromise, data theft, persistence installation, and lateral movement.

🟠

Likely Case

Local privilege escalation to gain administrative rights on the affected macOS machine, enabling further malicious activities.

🟢

If Mitigated

No impact if proper patching is applied or if users avoid opening untrusted PDF files.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and user interaction to open a malicious file. Race condition vulnerabilities can be challenging to exploit reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.012.20049, 2020.001.30006, 2017.011.30176 or later

Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-67.html

Restart Required: Yes

Instructions:

1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application.

🔧 Temporary Workarounds

Disable automatic PDF opening

macOS

Configure macOS to not automatically open PDF files with Acrobat Reader DC

Use alternative PDF reader

macOS

Temporarily use macOS Preview or other PDF readers until patched

🧯 If You Can't Patch

Restrict user permissions to prevent privilege escalation impact
Implement application whitelisting to block Acrobat Reader DC execution

🔍 How to Verify

Check if Vulnerable:

Check Acrobat Reader DC version via Help > About Adobe Acrobat Reader DC

Check Version:

defaults read /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Verify version is 2020.012.20049, 2020.001.30006, 2017.011.30176 or later

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events in macOS system logs
Acrobat Reader DC crash reports with suspicious file paths

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

source="macOS_system_logs" AND (event="privilege_escalation" OR process="AcroRd32")

📊 Metadata

CVE ID: CVE-2020-24428

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-367

Published: November 5, 2020

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/acrobat/apsb20-67.html Vendor Advisory
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24428, you might also want to check these: