CVE-2021-21086
📋 TL;DR
CVE-2021-21086 is an out-of-bounds write vulnerability in Adobe Acrobat Reader DC's CoolType library that allows arbitrary code execution when a user opens a malicious PDF file. Attackers can exploit this to run code with the victim's privileges, requiring user interaction through file opening. Users of affected Adobe Acrobat Reader DC versions are at risk.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious PDFs.
If Mitigated
Limited impact with proper security controls like application sandboxing, least privilege, and network segmentation containing the damage to isolated systems.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious PDF). Multiple proof-of-concepts and exploit chains have been publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.013.20075, 2020.001.30019, 2017.011.30189 and later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb21-09.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors that might be used in conjunction with this vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use Protected View
allOpen PDFs in Protected View mode to limit potential damage from malicious files
File > Properties > Security > Enable Protected View
🧯 If You Can't Patch
- Block PDF files from untrusted sources at email gateways and web proxies
- Implement application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat Reader DC version via Help > About Adobe Acrobat Reader DC and compare against affected versionsCheck Version:
On Windows: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /? | findstr /i versionVerify Fix Applied:
Verify version is 2020.013.20075 or higher, 2020.001.30019 or higher, or 2017.011.30189 or higher📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with CoolType.dll errors
- Windows Event Logs showing unexpected process creation from AcroRd32.exe
Network Indicators:
- Outbound connections from Adobe Reader process to suspicious IPs
- DNS requests for known malicious domains from user workstations
SIEM Query:
process_name:"AcroRd32.exe" AND (event_id:1 OR parent_process_name:"AcroRd32.exe")