Details of RCE Bug in Adobe Experience Manager Revealed

Disclosure of a bug in Adobe’s content-management solution – used by Mastercard, LinkedIn and PlayStation – were released.

Details of an Adobe zero-day bug found in its content-management solution Adobe Experience Manager (AEM), which affected customers ranging from Mastercard, LinkedIn and PlayStation, were revealed Monday.

The bug, patched in May, allowed hackers to bypass authentication protection and execute code remotely on vulnerable AEM installs.

Researchers in the ethical-hacking community Detectify Crowdsource identified the flaw in the CRX Package Manager component of Adobe’s AEM. AEM is an enterprise-class tool for creating and managing websites, mobile apps and online forums.

“This bug allows attackers to bypass authentication and gain access to CRX Package Manager,” researchers wrote in a blog post about the vulnerability published Monday. “Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations.”

Detectify Crowdsource members, identified as Ai Ho and Bao Bui, first discovered the vulnerability in December 2020 in an instance of AEM used by Sony Interactive Entertainment’s PlayStation subsidiary. Three months later, the AEM CRX bypass was also identified within multiple subdomains used by Mastercard. Both Sony and Mastercard were notified of the bugs at the time.

It wasn’t until a series of tests and validation of the flaw by Detectify that Adobe was notified of the bug on March 25. On May 6, Adobe issued a patch for its AEM platform.

According to researchers, if the vulnerability is left unpatched, attackers can easily access the CRX Package Manager to upload a malicious package within the context of Adobe’s AEM solution and execute a remote-code execution attack to “gain full control of the application,” researchers observed.

Bug Mechanics 

Once the patch was made available, Detectify researchers released a test module so organizations can identify if their implementation of AEM was affected by the flaw. So far, the tool has identified about 30 instances of the AEM CRX Bypass vulnerability in customers’ web applications, they said.

The vulnerability occurs at CRX package “/crx/packmgr/” endpoints such as “/crx/packmgr/groups.jsp”, researchers explained in the post. Threat actors can bypass authentication in Dispatcher, AEM’s caching and load-balancing tools, to access CRX Package Manager, they said.

“Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most–if not all AEM installations,” researchers wrote. “It can be bypassed by adding a lot of special characters in combination in the request: %0a;.”

Previously, the component responsible for the vulnerability could be exploited with one special character; however, AEM CRX Bypass uses a new approach by exploiting it with a number of combined special characters, researchers observed.

Blocking public access to the CRX console mitigates the vulnerability, they added.

Adobe in Hacker Crosshairs

Along with Microsoft, Adobe is one of the top targets for cybercriminals because its software is so prevalent. In addition to the popular Adobe Acrobat family for viewing, creating and managing files, the company also provides the engine for numerous online-facing applications and websites. In fact, Adobe was second only to Microsoft in a recent survey that tracked the market for the most popular exploits sold in cybercriminal forums.

Adobe is responsive at responding to security flaws in its software with monthly updates that coincide with Microsoft’s monthly Patch Tuesday security bulletins. In February, the company patched a flaw in Adobe Reader that threat actors used to target Windows users in “limited attacks,” it said at the time. Windows users are often at the pointy end of the stick of Adobe vulnerabilities.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles