CVE-2023-26358: Adobe Creative Cloud RCE Vulnerability

CVE-2023-26358 Overview

CVE-2023-26358 is an Untrusted Search Path vulnerability affecting Adobe Creative Cloud version 5.9.1 and earlier. This vulnerability allows attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways by manipulating the search path used by the application to locate critical resources. When the application uses a search path to locate critical resources such as programs, an attacker can modify that search path to point to a malicious program, which the targeted application would then execute.

Critical Impact

Local attackers can achieve code execution with user privileges by hijacking the application's resource search path, potentially leading to unauthorized program execution, data access, and configuration modification.

Affected Products

• Adobe Creative Cloud version 5.9.1 and earlier
• All platforms running vulnerable Creative Cloud Desktop Application versions

Discovery Timeline

• 2023-03-22 - CVE-2023-26358 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-26358

Vulnerability Analysis

This vulnerability falls under CWE-426 (Untrusted Search Path), a class of vulnerabilities that occur when an application searches for libraries or executables in locations that may be under attacker control. Adobe Creative Cloud version 5.9.1 and earlier fails to properly validate or restrict the search paths used when loading critical resources.

The local attack vector requires user interaction, meaning an attacker would need to convince a user to perform an action such as opening a malicious file or navigating to a directory containing attacker-controlled files. Once triggered, the vulnerability can result in complete compromise of confidentiality, integrity, and availability of the affected system at the user's privilege level.

Root Cause

The root cause of CVE-2023-26358 is the application's use of an insecure or unvalidated search path when locating critical resources such as DLLs, executables, or configuration files. The application does not properly restrict the directories from which these resources can be loaded, allowing an attacker to place malicious files in locations that are searched before legitimate system directories.

Attack Vector

This is a local attack vector vulnerability that requires user interaction. The attacker must position malicious files (such as DLLs or executables) in a location that the Creative Cloud application will search before finding legitimate files. Common attack scenarios include:

The attacker places a malicious DLL in the current working directory or another directory in the search path. When a user opens a file associated with Creative Cloud or launches the application from a directory containing the malicious file, the application loads and executes the attacker's code. This technique is commonly known as DLL hijacking or search order hijacking.

The vulnerability extends beyond just executables to any critical resource that the application trusts, including configuration files that could be modified to alter application behavior.

Detection Methods for CVE-2023-26358

Indicators of Compromise

• Unexpected DLL or executable files in user-accessible directories where Creative Cloud applications are launched
• Process execution anomalies where Creative Cloud processes load libraries from unusual locations
• Suspicious file creation events in directories commonly used for DLL hijacking attacks

Detection Strategies

• Monitor for DLL loading events from non-standard directories for Adobe Creative Cloud processes
• Implement application whitelisting to prevent execution of unsigned or unexpected binaries
• Configure endpoint detection to alert on search order hijacking patterns
• Review process creation logs for Creative Cloud processes spawning unexpected child processes

Monitoring Recommendations

• Enable verbose logging for application startup and resource loading activities
• Monitor file system activity in directories commonly targeted by search path attacks
• Implement SIEM rules to correlate suspicious file creations with subsequent Creative Cloud launches

How to Mitigate CVE-2023-26358

Immediate Actions Required

• Update Adobe Creative Cloud Desktop Application to version 5.10.0 or later immediately
• Audit systems for any unauthorized files in directories where Creative Cloud applications are installed or launched
• Restrict user permissions to prevent writing to sensitive application directories
• Enable endpoint protection solutions to detect and block DLL hijacking attempts

Patch Information

Adobe has addressed this vulnerability in the Adobe Security Advisory APSB23-21. Users should update to Creative Cloud Desktop Application version 5.10.0 or later to remediate this vulnerability. The update can be obtained through the Creative Cloud application's built-in update mechanism or by downloading the latest installer from Adobe's website.

Workarounds

• Launch Creative Cloud applications only from their default installation directories
• Avoid opening files associated with Creative Cloud from untrusted or shared network locations
• Implement application control policies to prevent execution of unsigned binaries
• Configure endpoint protection to monitor and block suspicious DLL loading behavior