Threat Research

Patch Your Adobe Shockwave Player: Fortinet Discovers Seven Zero-Day Remote Code Execution Vulnerabilities

By Honggang Ren | April 11, 2019

A FortiGuard Labs Breaking Threat Research Report

 

On the April 9, 2019, Adobe released security bulletin APSB19-20, which patches seven Adobe Shockwave Player vulnerabilities. All of them were discovered by FortiGuard Labs researcher Honggang Ren and reported to Adobe by following Fortinet’s responsible disclosure process. The CVE numbers assigned to these vulnerabilities are CVE-2019-7098, CVE-2019-7099, CVE-2019-7100, CVE-2019-7101, CVE-2019-7102, CVE-2019-7103, CVE-2019-7104.

All seven of these vulnerabilities could lead to remote code execution, and have been given a Critical rating by Adobe. Further, according to the Adobe notice, “Effective April 9, 2019, Adobe Shockwave will be discontinued and the Shockwave player for Windows will no longer be available for download. Companies with existing Enterprise licenses for Adobe Shockwave continue to receive support until the end of their current contracts.”

Given this announcement, we strongly recommend that users upgrade to the latest version ASAP. In this post we will provide more details on these vulnerabilities:

Vulnerabilities Overview

  • CVE-2019-7098, CVE-2019-7099

CVE-2019-7098 and CVE-2019-7099 are remote code execution vulnerabilities in the Adobe Shockwave Player DIRAPI.dll that result from its failure to properly handle a malformed .dir file, which can eventually lead to a remote code execution scenario.

User interaction is required to exploit these vulnerabilities, wherein the victim must open a malformed file. An attacker who successfully exploits these vulnerabilities could execute arbitrary code on a victim’s Internet Explorer in the security context of the current user.

  • CVE-2019-7100, CVE-2019-7101, CVE-2019-7102, CVE-2019-7103, CVE-2019-7104

CVE-2019-7100, CVE-2019-7101, CVE-2019-7102, CVE-2019-7103, and CVE-2019-7104 are remote code execution vulnerabilities in the Adobe Shockwave Player TextXtra.x32 that results from its failure to properly handle malformed .dir files, which can eventually lead to a remote code execution scenario.

User interaction is required to exploit these vulnerabilities, wherein the victim must open a malformed file. An attacker who successfully exploits these vulnerabilities could execute arbitrary code on a victim’s Internet Explorer in the security context of the current user.

Attack Scenario

To exploit any of the above vulnerabilities, a user must open a specially crafted .dir file with a vulnerable version of Adobe Shockwave Player. In an email attack scenario, an attacker could exploit these vulnerabilities by sending a specially crafted file to the user and then convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit these vulnerabilities.

Solution

All users of vulnerable versions of Adobe Shockwave Player should upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions have already been protected from these vulnerabilities with the following signature, which was released before the Adobe patches were made available:

Adobe.Shockwave.Player.Multiple.Memory.Corruption

 

View the Fortinet Threat Landscape Indices for botnets, malware, and exploits for Q4, 2018.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for the weekly FortiGuard Threat Intelligence Briefs.

Learn more about the FortiGuard Security Rating Service, which provides security audits and best practices.

Read more about our Network Security Expert programNetwork Security Academy program or our FortiVets program.