Other official information and services: www.belgium.be

Warning: Multiple vulnerabilities in Foxit PDF Reader and Editor products can lead to Remote Code Execution

Référence:

Advisory #2023-91

Version:

1.0

Logiciels concernés :

Foxit PDF Editor (previously named Foxit PhantomPDF) versions 12.1.2.15332 and all previous 12.x versions, 11.2.6.53790 and all previous 11.x versions, 10.1.12.37872 and earlier

Foxit PDF Reader (previously named Foxit Reader) versions 12.1.2.15332 and earlier

Foxit PDF Editor for Mac (previously named Foxit PhantomPDF Mac) versions 12.1.0.1229 and all previous 12.x versions, 11.1.4.1121 and earlier

Foxit PDF Reader for Mac (previously named Foxit Reader Mac) versions 12.1.0.1229 and earlier

Type:

Remote Code Execution (RCE)

CVE/CVSS:

CVE-2023-28744: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-2023-32664: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Date:

02/08/2023

Sources

https://www.foxit.com/support/security-bulletins.html

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1739

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1795

Risques

Most vulnerabilities fixed in the updates can lead to Remote Code Execution, which causes total impact in the confidentiality, integrity and availability of the vulnerable system. Attack complexity is low and there are no privileges required. Additionally, Talos has published proof-of-concept code for some of the vulnerabilities.

At the moment of writing there is no sign of the vulnerabilities being exploited in the wild. Nonetheless, malicious PDF documents are often used by attackers during phishing or social engineering attacks to execute malicious code on the victim's computer. This makes these vulnerabilities highly likely to be exploited in the future.

Description

Foxit released security updates for Foxit PDF Editor and Foxit PDF Editor for the platforms Windows and MacOS. The updates fix several vulnerabilities that can lead to Remote Code Execution. A small number of them are described below.

CVE-2023-28744

CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-2023-28744 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader. A specially crafted PDF document can be send to a victim, who by opening it, can trigger the reuse of previously freed memory that can lead to memory corruption and arbitrary code execution. The vulnerability can also be exploited if the victim visits a malicious website and has the PDF plugin extension enabled in the browser.

CVE-2023-32664

CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVE-2023-32664 is a type confusion vulnerability in the JavaScript checkThisBox method as implemented in Foxit PDF Reader. A specially crafted JavaScript code inside a malicious PDF document can cause memory corruption and lead to Remote Code Execution. User interaction is required.

Actions recommandées

The Centre for Cybersecurity Belgium strongly recommends to update the affected software as soon as possible.

For Foxit PDF Editor and Reader, update to version 12.1.3.
For Foxit PDF Editor and Reader for Mac, update to version 12.1.1