Multiple Critical (CVE-2023-29308) Vulnerabilities Discovered in Adobe InDesign
A series of important zero-day vulnerabilities in Adobe InDesign has been discovered recently, and promptly reported to Adobe. In response, Adobe has released security patches on July 11, 2023, addressing these vulnerabilities.
Affected Adobe Platforms and Versions
Users of Adobe InDesign 2023 version 18.3 and earlier, as well as users of Adobe InDesign 2022 version 17.4.1 and earlier, are vulnerable to exploitation. The vulnerabilities arise when decoding QuarkXPress Drawing ‘QXD’ files. Both Windows and macOS platforms are impacted.
Details of Vulnerabilities in Adobe InDesign
The vulnerabilities, namely CVE-2023-29308 to CVE-2023-29319, have been assigned a High or Medium severity level on National Vulnerability Database (NVD). Each vulnerability stems from a distinct root cause related to a single InDesign plugin. These vulnerabilities can result in memory leaks or arbitrary code execution, posing significant risks to affected users.
- CVE-2023-29308: The vulnerability has a CVSS score of 7.8 (High severity) and allows attackers to execute arbitrary code within the application’s context via a crafted QXD file.
The following vulnerabilities have CVSS scores of 5.5 and are classified as Medium severity:
- CVE-2023-29309: Out-of-Bounds Read vulnerability, enabling attackers to leak sensitive information within the application through a malformed QXD file.
- CVE-2023-29310: Out-of-Bounds Read vulnerability, leading to the leakage of sensitive information within the application’s context via a malformed QXD file.
- CVE-2023-29311: Out-of-Bounds Read vulnerability, allowing attackers to extract sensitive information within the application through a malformed QXD file.
- CVE-2023-29312: Out-of-Bounds Read vulnerability, resulting in the unauthorized access and retrieval of sensitive information within the application via a crafted QXD file.
- CVE-2023-29313: Out-of-Bounds Read vulnerability, enabling attackers to obtain sensitive information within the application’s context through a malformed QXD file.
- CVE-2023-29314:Out-of-Bounds Read vulnerability, leading to the disclosure of sensitive information within the application via a crafted QXD file.
- CVE-2023-29315: Out-of-Bounds Read vulnerability, allowing attackers to extract sensitive information within the application’s context through a malformed QXD file.
- CVE-2023-29316: Out-of-Bounds Read vulnerability, resulting in the unauthorized access and retrieval of sensitive information within the application via a crafted QXD file.
- CVE-2023-29317: Out-of-Bounds Read vulnerability, enabling attackers to obtain sensitive information within the application’s context through a malformed QXD file.
- CVE-2023-29318: Out-of-Bounds Read vulnerability, leading to the disclosure of sensitive information within the application via a crafted QXD file.
- CVE-2023-29319: Out-of-Bounds Read vulnerability, allowing attackers to extract sensitive information within the application’s context through a malformed QXD file.
Immediate Action Required
To safeguard your system, it is crucial to apply the Adobe security patch without delay. Fortinet strongly advises users to update their Adobe InDesign installations to the latest patched versions: ID18.4 for Windows and macOS, and ID17.4.2 for Windows and macOS.
Further Information and Protection
For more detailed information on each vulnerability, please refer to the Fortinet blog written by Yonghui Han of Fortinet, who discovered the zero-day vulnerabilities. Fortinet has also shared IPS signatures specific to each vulnerability for mitigation.
Stay Secure and Updated
Organizations can leverage SOCRadar’sSupply Chain Intelligence to proactively monitor and assess the security posture of their software supply chain, including vendors like Adobe, to mitigate the risks associated with such vulnerabilities.