Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Adobe Patches Incomplete Fix for NTLM Credential Leaking Bug (CVE-2018-15979)

Researchers have reported an incomplete fix for CVE-2018-4993, an NTLM credential leaking vulnerability that was supposed to be patched in May 2018. Adobe has now released a complete fix.

Background

On November 13, Adobe published its monthly security bulletins as part of its monthly release cycle in conjunction with Microsoft’s Patch Tuesday. The November security bulletins include a fix for a vulnerability that was believed to have been patched in May 2018’s security bulletins. However, security researchers at EdgeSpot discovered that the May 2018 fix was incomplete.

Vulnerability details

Researchers at Check Point Software Technologies originally reported this vulnerability to Adobe earlier in 2018. The vulnerability, CVE-2018-4993, is an information disclosure bug that leaks NT LAN Manager (NTLM) credentials through a feature of Portable Document Files (PDFs) that allows embedding remote documents and files. These credentials can be leaked when an attacker sends a specially crafted PDF file to a victim and includes the NTLM hash and challenge along with user and domain details.

Source: Checkpoint

Adobe reportedly patched this vulnerability in May 2018 as part of its security bulletin, APSB18-09. However, researchers at EdgeSpot, makers of an exploit detection service, determined that the May 2018 patch for CVE-2018-4993 was incomplete. The researchers examined two malicious PDF files (here and here) submitted to VirusTotal in May 2018 and determined the vulnerability still works using the latest version of Adobe Reader.

It appears that when Adobe issued their patch for this vulnerability in May 2018, it only patched one of two action types required when embedding remote documents and files. The two action types are:

  • GoToR (GoToRemote)
  • GoToE (GoToEmbedded)

EdgeSpot researchers say Adobe only patched GoToR and not GoToE based on the malicious PDF files they examined, both of which contained the GoToE action type. After reporting this to Adobe in early November, it was identified as a new CVE, CVE-2018-15979 and patched in Adobe’s November security bulletins.

Urgently required actions

Customers and users are strongly advised to upgrade to the latest versions of Adobe Acrobat and Acrobat Reader, which can be found here.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

Get more information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security