CVE-2020-3795
📋 TL;DR
This CVE describes an out-of-bounds write vulnerability in Adobe Acrobat and Reader that could allow attackers to execute arbitrary code on affected systems. Users running vulnerable versions of Adobe Acrobat or Reader are at risk when opening malicious PDF files. The vulnerability affects multiple versions across different release tracks.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malicious PDF files delivered via phishing or compromised websites lead to remote code execution, allowing attackers to install malware, steal credentials, or establish persistence.
If Mitigated
With proper patching and security controls, impact is limited to isolated incidents that can be contained through endpoint protection and network segmentation.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious PDF file. The high CVSS score and out-of-bounds write nature make weaponization likely, though no public proof-of-concept has been confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acrobat DC: 2020.009.20063 or later; Acrobat 2017: 2017.011.30166 or later; Acrobat 2015: 2015.006.30523 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-13.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Navigate to Help > Check for Updates. 3. Follow prompts to download and install available updates. 4. Restart the application when prompted. 5. Verify update by checking Help > About Adobe Acrobat/Reader.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allDisabling JavaScript can prevent some exploitation vectors, though not all attack methods may be blocked.
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allConfigure Adobe Reader to open all PDFs in Protected View to limit potential damage from malicious files.
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup'
🧯 If You Can't Patch
- Implement application whitelisting to block execution of unauthorized code
- Deploy endpoint detection and response (EDR) solutions to detect and block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Open Adobe Acrobat/Reader, go to Help > About Adobe Acrobat/Reader, and compare version number with affected ranges.Check Version:
On Windows: wmic product where "name like 'Adobe Acrobat%'" get version; On macOS: /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
After updating, verify version is at or above: DC: 2020.009.20063, 2017: 2017.011.30166, 2015: 2015.006.30523.📡 Detection & Monitoring
Log Indicators:
- Adobe Acrobat/Reader crash logs with memory access violations
- Windows Event Logs showing application crashes (Event ID 1000)
- Process creation from Adobe Acrobat/Reader with unusual parent-child relationships
Network Indicators:
- Outbound connections from Adobe Acrobat/Reader process to suspicious IPs
- DNS requests for known malicious domains following PDF file access
SIEM Query:
source="*acrobat*" AND (event_id=1000 OR "access violation" OR "out-of-bounds")