Timing attack in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2018-5675
Published: May 18, 2018
Vulnerability identifier: #VU12830
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-5675
CWE-ID: CWE-385
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Foxit Software Inc.
Affected software:
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the OpenSSL RSA Key generation algorithm due to a cache timing side channel attack. A remote attacker with sufficient access to mount cache timing attacks during the RSA key generation process can recover the private key.
The weakness exists in the OpenSSL RSA Key generation algorithm due to a cache timing side channel attack. A remote attacker with sufficient access to mount cache timing attacks during the RSA key generation process can recover the private key.
How to mitigate CVE-2018-5675
Install update from vendor's website.