14 DAY TRIAL // Adobe's content management system includes a flaw that affects Mastercard, LinkedIn and Sony's PlayStation customers, according to Threat Post.
The vulnerability, that was patched in May, allowed hackers to gain access to passwords and remotely execute code on vulnerable AEM installations. It was discovered that Adobe's content management system, Adobe Experience Manager (AEM), contained a zero-day vulnerability that may have affected customers as diverse as MasterCard, LinkedIn, and PlayStation.
The bug was identified by ethical hackers with the help of Detectify Crowdsource and it seems to affect the CRX Package Manager component of Adobe's AEM. More precisely, Ai Ho and Bao Bui are the original discoverers of the vulnerability in December 2020, while working on a project using AEM for Sony Interactive Entertainment's PlayStation division at the time.
Three months later, the AEM CRX bypass was discovered on many subdomains within the Mastercard organization. Both Sony and Mastercard were aware of the bugs at the time of the incident. “Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations”.
Adobe's content management system exposes its users to new security risks
Researchers said in a blog post “This bug allows attackers to bypass authentication and gain access to CRX Package Manager". Following extensive testing and validation by Detectify, Adobe was alerted of the problem on March 25. Earlier this month, Adobe announced a fix for their AEM program.
According to experts, all it take for a malicious remote code execution is for an attacker to infiltrate a system running Adobe's AEM. Once inside, he simply uploads a malicious package to the CRX Package Manager and use it to gain full control of the application.
Because of its widespread use, Adobe is one of the leading targets for cyber attackers. Beyond Acrobat, the software provider also develops engines for various online-facing applications and websites. Adobe was only second to Microsoft in a recent analysis of the most popular exploits marketed in cybercriminal forums.
Note: To ensure accuracy, this post has been updated with a response from Adobe:
“ We do not have any evidence of public exploitation in the wild that would justify the classification of this issue as a “0-day” vulnerability in Adobe Experience Manager (AEM). For clarification, this issue does not impact AEM Cloud Service customers and only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed. As a result, this does not require a CVE from Adobe because AEM has the necessary security controls enabled by default to help protect customers. This out-of-the-box protection is available on supported versions of AEM. Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages. ”