CVE-2021-29097
📋 TL;DR
Multiple buffer overflow vulnerabilities in Esri's ArcGIS products allow arbitrary code execution when parsing malicious files. Unauthenticated attackers can exploit these flaws to run code with the privileges of the current user. Affected products include ArcReader, ArcGIS Desktop, ArcGIS Engine, and ArcGIS Pro.
💻 Affected Systems
- ArcReader
- ArcGIS Desktop
- ArcGIS Engine
- ArcGIS Pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement, and persistent backdoor installation.
Likely Case
Local privilege escalation or malware execution on individual workstations.
If Mitigated
Limited impact if systems are patched, use least privilege, and restrict file processing.
🎯 Exploit Status
Exploitation requires user interaction to open malicious files, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ArcGIS Desktop 10.8.2, ArcGIS Engine 10.8.2, ArcGIS Pro 2.8
Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/
Restart Required: Yes
Instructions:
1. Download patches from Esri's website. 2. Apply patches to all affected systems. 3. Restart systems after installation. 4. Verify patch installation.
🔧 Temporary Workarounds
Restrict file processing
allBlock processing of untrusted raster files through application controls or group policy.
Use least privilege
allRun ArcGIS applications with non-administrative accounts to limit exploit impact.
🧯 If You Can't Patch
- Isolate affected systems from critical networks and internet access.
- Implement application whitelisting to prevent execution of unauthorized code.
🔍 How to Verify
Check if Vulnerable:
Check installed version against affected ranges in ArcGIS About dialog.Check Version:
In ArcGIS: Help > About ArcGIS [Product]Verify Fix Applied:
Confirm version is 10.8.2 or higher for Desktop/Engine, or 2.8 or higher for Pro.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes
- Suspicious file parsing errors
- Unusual child process creation from ArcGIS executables
Network Indicators:
- Outbound connections from ArcGIS processes to unknown IPs
- Unexpected file downloads to ArcGIS systems
SIEM Query:
Process creation where parent_process_name contains 'ArcGIS' and (process_name contains 'cmd.exe' or process_name contains 'powershell.exe')🔗 References
- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/
- https://www.zerodayinitiative.com/advisories/ZDI-21-360/
- https://www.zerodayinitiative.com/advisories/ZDI-21-363/
- https://www.zerodayinitiative.com/advisories/ZDI-21-364/
- https://www.zerodayinitiative.com/advisories/ZDI-21-365/
- https://www.zerodayinitiative.com/advisories/ZDI-21-367/
- https://www.zerodayinitiative.com/advisories/ZDI-21-368/
- https://www.zerodayinitiative.com/advisories/ZDI-21-369/
- https://www.zerodayinitiative.com/advisories/ZDI-21-371/
- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/
- https://www.zerodayinitiative.com/advisories/ZDI-21-360/
- https://www.zerodayinitiative.com/advisories/ZDI-21-363/
- https://www.zerodayinitiative.com/advisories/ZDI-21-364/
- https://www.zerodayinitiative.com/advisories/ZDI-21-365/
- https://www.zerodayinitiative.com/advisories/ZDI-21-367/
- https://www.zerodayinitiative.com/advisories/ZDI-21-368/
- https://www.zerodayinitiative.com/advisories/ZDI-21-369/
- https://www.zerodayinitiative.com/advisories/ZDI-21-371/
