CVE-2021-29096 – A use-after-free vulnerability in Esri ArcGIS p... (How to Fix)

Q: What is the severity of CVE-2021-29096?

CVE-2021-29096 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in Esri ArcGIS products allows arbitrary code execution when parsing malicious files. Unauthenticated attackers can exploit this to run code with the current user's privileges. Affected products include ArcReader, ArcGIS Desktop, ArcGIS Engine, and ArcGIS Pro.

📋 TL;DR

A use-after-free vulnerability in Esri ArcGIS products allows arbitrary code execution when parsing malicious files. Unauthenticated attackers can exploit this to run code with the current user's privileges. Affected products include ArcReader, ArcGIS Desktop, ArcGIS Engine, and ArcGIS Pro.

💻 Affected Systems

Products:

ArcReader
ArcGIS Desktop
ArcGIS Engine
ArcGIS Pro

Versions: ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 and earlier; ArcGIS Pro 2.7 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable when processing specially crafted raster files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malicious file execution resulting in malware installation, credential theft, or unauthorized access to sensitive geospatial data.

🟢

If Mitigated

Limited impact through application sandboxing or restricted user privileges preventing system-wide compromise.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files but can be delivered via email or web downloads.

🏢 Internal Only: HIGH - Internal users frequently share GIS files; exploitation could lead to lateral movement within enterprise networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open malicious files but no authentication. Proof-of-concept details are not publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ArcGIS Desktop 10.8.2, ArcGIS Pro 2.8, and corresponding updates for other products

Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/

Restart Required: Yes

Instructions:

1. Download and install the latest security updates from Esri's official website. 2. Apply patches to all affected ArcGIS installations. 3. Restart systems after patching. 4. Verify successful installation through version checks.

🔧 Temporary Workarounds

Restrict file processing

windows

Block processing of untrusted raster files through application controls or file type restrictions.

User privilege reduction

windows

Run ArcGIS applications with limited user privileges to contain potential exploitation.

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized code
Deploy network segmentation to isolate ArcGIS systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check installed ArcGIS version against affected versions list. Review system logs for unexpected file processing events.

Check Version:

In ArcGIS Desktop: Help → About ArcMap. In ArcGIS Pro: Project → About ArcGIS Pro.

Verify Fix Applied:

Confirm version numbers match patched releases: ArcGIS Desktop ≥10.8.2, ArcGIS Pro ≥2.8, or later versions.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Suspicious file processing events
Unusual network connections from ArcGIS processes

Network Indicators:

Outbound connections from ArcGIS to unknown IPs
Unusual data exfiltration patterns

SIEM Query:

source="arcgis" AND (event_type="crash" OR file_extension IN ("*.tif", "*.img", "*.sid"))

📊 Metadata

CVE ID: CVE-2021-29096

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 25, 2021

Last Updated: November 21, 2024

🔗 References

https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/ Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-370/ Third Party Advisory,VDB Entry
https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/ Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-370/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29096, you might also want to check these: