SB2020042201 - Multiple vulnerabilities in Foxit Reader and PhantomPDF
Published: April 22, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 vulnerabilities.
1) Type Confusion (CVE-ID: CVE-2020-10911)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the GetFieldValue command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Use-after-free (CVE-ID: CVE-2020-10907)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the handling of widgets in XFA forms. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
3) Use-after-free (CVE-ID: CVE-2020-10906)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the resetForm method. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
4) Use-after-free (CVE-ID: CVE-2020-10900)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the processing of AcroForms. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
5) Use-after-free (CVE-ID: CVE-2020-10899)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the processing of XFA templates. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
6) Type Confusion (CVE-ID: CVE-2020-10891)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the Save command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Type Confusion (CVE-ID: CVE-2020-10908)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the Export command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Type Confusion (CVE-ID: CVE-2020-10909)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the AddWatermark command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Type Confusion (CVE-ID: CVE-2020-10910)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the RotatePage command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to hardcoded credentials being used during HTTP request in DocuSign plugin. A remote attacker can gain intercept network traffic and gain access to sensitive information.
11) Type Confusion (CVE-ID: CVE-2020-10912)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the SetFieldValue command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Type Confusion (CVE-ID: CVE-2020-10913)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the OCRAndExportToExcel command of the communication API. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Type Confusion (CVE-ID: CVE-2020-10889)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the handling of the DuplicatePages command of the communication API.. A remote attacker can create a specially crafted PDF file, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Improper Verification of Cryptographic Signature (CVE-ID: N/A)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to incorrect validation of signatures of PDF files. A remote attacker can bypass signature validation process and bypass implemented security restrictions.
15) Infinite loop (CVE-ID: N/A)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing certain PDF file that contains irregular data in cross-reference stream or lengthy character strings in the content stream. A remote attacker can consume all available system resources and cause denial of service conditions.
16) Infinite loop (CVE-ID: N/A)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing actions that contain circular reference in PDF files. A remote attacker can consume all available system resources and cause denial of service conditions.
17) Use-after-free (CVE-ID: N/A)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a user-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
18) Improper control of interaction frequency (CVE-ID: N/A)
CWE-ID: CWE-799 - Improper Control of Interaction Frequency
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to CAS service allows unlimited number of attempts to guess credentials. A remote attacker can perform a brute-force attack and gain unauthorized access to the application.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-20-518/
- https://www.foxitsoftware.com/support/security-bulletins.php?9.7.1.29511
- https://www.zerodayinitiative.com/advisories/ZDI-20-535/
- https://www.foxitsoftware.com/support/security-bulletins.php
- https://www.zerodayinitiative.com/advisories/ZDI-20-534/
- https://www.zerodayinitiative.com/advisories/ZDI-20-528/
- https://www.zerodayinitiative.com/advisories/ZDI-20-527/
- https://www.zerodayinitiative.com/advisories/ZDI-20-514/
- https://www.zerodayinitiative.com/advisories/ZDI-20-515/
- https://www.zerodayinitiative.com/advisories/ZDI-20-516/
- https://www.zerodayinitiative.com/advisories/ZDI-20-517/
- https://www.zerodayinitiative.com/advisories/ZDI-20-519/
- https://www.zerodayinitiative.com/advisories/ZDI-20-520/
- https://www.zerodayinitiative.com/advisories/ZDI-20-511/