CVE-2020-3803
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Adobe Acrobat and Reader where attackers can place malicious DLL files in directories that the application searches before legitimate system directories. Successful exploitation allows local attackers to escalate privileges on affected systems. Users running vulnerable versions of Adobe Acrobat or Reader are affected.
💻 Affected Systems
- Adobe Acrobat
- Adobe Acrobat Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges on the compromised machine, enabling complete system takeover, data theft, and lateral movement.
Likely Case
Local attacker with limited privileges escalates to administrator rights, enabling installation of malware, persistence mechanisms, and access to sensitive data.
If Mitigated
Attack fails due to proper file permissions, application hardening, or user account restrictions limiting DLL placement.
🎯 Exploit Status
Exploitation requires local access to place malicious DLLs and knowledge of which DLLs Acrobat/Reader attempts to load from insecure locations. Social engineering could trick users into opening documents from malicious locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.009.20063 (Continuous Track), 2017.011.30166 (Classic 2017), 2015.006.30524 (Classic 2015)
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-13.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Alternatively, download latest version from Adobe website. 5. Restart computer after installation.
🔧 Temporary Workarounds
Restrict DLL loading from current directory
windowsSet CWDIllegalInDllSearch registry value to prevent DLL loading from current directory
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0xFFFFFFFF /f
Remove write permissions from Acrobat directories
windowsRemove write permissions for non-admin users from directories where Acrobat/Reader executes
icacls "C:\Program Files\Adobe\Acrobat DC\Acrobat" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Restrict user permissions to prevent DLL placement in directories Acrobat searches
- Use application control/whitelisting to block execution of unauthorized DLLs
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat/Reader version via Help > About Adobe Acrobat/Reader and compare with affected versions listCheck Version:
wmic product where "name like 'Adobe Acrobat%' or name like 'Adobe Reader%'" get name, versionVerify Fix Applied:
Verify version is 2020.009.20063 or later (Continuous), 2017.011.30166 or later (Classic 2017), or 2015.006.30524 or later (Classic 2015)📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Acrobat/Reader loading DLLs from unusual locations
- Process Monitor logs showing DLL search order violations
Network Indicators:
- Not network exploitable - primarily local attack
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '*acrobat.exe' OR NewProcessName LIKE '*acrord32.exe') AND CommandLine CONTAINS 'dll'