CVE-2020-9668
📋 TL;DR
This vulnerability in Adobe Genuine Service allows attackers to exploit improper access control when handling symbolic links, enabling privilege escalation. Unauthenticated attackers can gain elevated privileges within the current user's context. Users running Adobe Genuine Service version 6.6 or earlier are affected.
💻 Affected Systems
- Adobe Genuine Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through privilege escalation to SYSTEM/root level, allowing installation of malware, data theft, or persistence mechanisms.
Likely Case
Local privilege escalation allowing attackers to execute arbitrary code with higher privileges than their current user account.
If Mitigated
Limited impact with proper access controls and patching, restricting attackers to their original privilege level.
🎯 Exploit Status
The advisory states unauthenticated attackers can exploit this, suggesting relatively straightforward exploitation once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7 or later
Vendor Advisory: https://helpx.adobe.com/security/products/integrity_service/apsb20-42.html
Restart Required: Yes
Instructions:
1. Open Adobe Genuine Service application. 2. Check for updates in settings. 3. If no update option, download latest version from Adobe website. 4. Install update. 5. Restart system.
🔧 Temporary Workarounds
Disable Adobe Genuine Service
windowsTemporarily disable the service if patching is not immediately possible
sc stop AGSService
sc config AGSService start= disabled
Remove symbolic link creation privileges
allRestrict ability to create symbolic links to prevent exploitation
🧯 If You Can't Patch
- Implement strict access controls to limit who can create symbolic links on affected systems
- Monitor for unusual privilege escalation attempts and file system activities related to Adobe Genuine Service
🔍 How to Verify
Check if Vulnerable:
Check Adobe Genuine Service version in application settings or via 'AGSService --version' commandCheck Version:
AGSService --versionVerify Fix Applied:
Verify version is 6.7 or later and test symbolic link handling with controlled test cases📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns involving Adobe Genuine Service directories
- Privilege escalation attempts in security logs
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND ProcessName LIKE '%AGSService%' AND NewProcessName NOT LIKE '%AGSService%'