Cisco Talos’ Vulnerability Research team recently discovered 11 vulnerabilities in Microsoft Windows CLIPSP.SYS and Adobe Acrobat Reader that were all disclosed this week as part of the company’s regular security updates.
For more on Patch Tuesday, check out Talos’ blog post here.
Eight of the vulnerabilities affect the license update feature for CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11. The three others are use-after-free or out-of-bounds read vulnerabilities in Adobe Acrobat Reader, one of the most popular PDF readers on the market currently.
Microsoft and Adobe have patched the issues mentioned in this blog post, all in adherence to Cisco’s third-party vulnerability disclosure policy, while LevelOne has declined to release a fix.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Multiple vulnerabilities in Windows CLIPSP.SYS
Discovered by Philippe Laulheret.
CLIPSP.SYS is a driver in Windows 10 and 11 that implements the Client License System Policy. The process of updating this license can be exploited by an adversary to carry out several different exploits.
Talos discovered three issues, TALOS-2024-1971 (CVE-2024-38062) and TALOS-2024-1970 (CVE-2024-38062) and TALOS-2024-1969 (CVE-2024-38187), an adversary could exploit by sending the targeted system a specially crafted license blob, which could lead to a denial of service.
TALOS-2024-1964 (CVE-2024-38184) is exploited in the same way, but in this case, could allow the adversary to bypass the usual security checks that take place and allow them to tamper with the license. By tampering with the license, an adversary could change its properties such as when the license expires, or even create a new license that could then be used with other applications downloaded from the Windows store.
Two out-of-bounds write vulnerabilities, TALOS-2024-1966 (CVE-2024-38186) and TALOS-2024-1988 (CVE-2024-38062), could lead to privilege escalation. And in both cases, the vulnerable functions could play into a sandbox escape attack.
TALOS-2024-1965 (CVE-2024-38185) and TALOS-2024-1968 (CVE-2024-38062) are also out-of-bounds read vulnerabilities, but in their cases, lead to the disclosure of sensitive information and an out-of-bounds kernel read, respectively.
Adobe Acrobat Reader vulnerability could lead to remote code execution
Discovered by KPC.
Adobe Acrobat Reader contains three vulnerabilities, one of which could allow an attacker to execute arbitrary code.
TALOS-2024-2002 (CVE-2024-41832) and TALOS-2024-2003 (CVE-2024-41835) exist in the CoolType font processor in Reader. An adversary could embed a specially crafted font in a PDF, and then trick the targeted user into opening that PDF, to exploit these vulnerabilities.
This could allow the adversary to view sensitive contents of arbitrary memory, which could aid in further exploitation and exploit mitigation bypass.
TALOS-2024-2009 (CVE-2024-41830) is the most serious of the issues Talos discovered, with a CVSS score of 8.8 out of 10. If an adversary tricks a user into opening a specially crafted PDF, malicious JavaScript code in the PDF could trigger the reuse of a previously freed object, leading to memory corruption and potentially arbitrary code execution.