CVE-2023-38245 in Acrobat Reader
Summary
by MITRE • 08/10/2023
Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Information Disclosure vulnerability. An unauthenticated attacker could leverage this vulnerability to obtain NTLMv2 credentials. Exploitation of this issue requires user interaction in that a victim must open a maliciously crafted Microsoft Office file, or visit an attacker controlled web page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/10/2023
Adobe Acrobat Reader contains a critical information disclosure vulnerability that allows unauthenticated attackers to extract NTLMv2 credentials from unsuspecting users. This vulnerability affects specific versions of Adobe Acrobat Reader including those up to 23.003.20244 and 20.005.30467, representing a significant security risk for organizations relying on these software components. The flaw manifests when users interact with maliciously crafted Microsoft Office files or visit attacker-controlled web pages, making it particularly dangerous in phishing campaigns and drive-by download attacks.
The technical implementation of this vulnerability stems from inadequate input validation within the document processing engine of Adobe Acrobat Reader. When processing specially crafted Office files, the application fails to properly sanitize external references or embedded objects that trigger NTLM authentication attempts. This weakness enables attackers to intercept authentication challenges and subsequently capture NTLMv2 hash values that can be cracked or relayed in credential theft attacks. The vulnerability aligns with CWE-200, which addresses improper information disclosure, and represents a classic example of how document processing applications can become attack vectors for credential harvesting.
The operational impact of CVE-2023-38245 extends beyond simple information disclosure, as NTLMv2 credentials can be leveraged for lateral movement within networks and privilege escalation attacks. Once attackers obtain these credentials, they can potentially access additional systems, escalate privileges, or conduct pass-the-hash attacks against domain controllers. The requirement for user interaction makes this vulnerability particularly challenging to defend against, as it relies on social engineering tactics to deliver malicious payloads. This aligns with ATT&CK technique T1566, which covers social engineering methods including spearphishing with a malicious attachment, and T1078, which addresses valid accounts usage for persistence.
Organizations should immediately implement mitigation strategies including updating to patched versions of Adobe Acrobat Reader, implementing network-based protections such as web application firewalls, and deploying endpoint detection and response solutions to monitor for suspicious authentication patterns. Security teams should also conduct user awareness training to recognize potentially malicious Office documents and web content, while implementing strict email filtering policies to prevent delivery of malicious attachments. The vulnerability demonstrates the importance of maintaining up-to-date software across all endpoints and highlights the critical need for organizations to have robust patch management processes in place to address such information disclosure risks promptly.