SB2018052217 - Multiple vulnerabilities in Foxit Reader and PhantomPDF

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018052217

SB2018052217 - Multiple vulnerabilities in Foxit Reader and PhantomPDF

Published: May 22, 2018

Security Bulletin ID SB2018052217
Severity
High
Patch available
YES
Number of vulnerabilities 16
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 16 secuirty vulnerabilities.


1) Use-after-free error (CVE-ID: CVE-2018-10302)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can trick the victim into opening specially crafted input, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.


2) Use-after-free error (CVE-ID: CVE-2018-10303)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can trick the victim into opening specially crafted input, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.


3) Insecure DLL loading (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the application passes an insufficiently qualified path in loading an external library when a user launches the application. A remote attacker can place a malicious DLL in the specified path directory and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

4) Access of uninitialized pointer (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to the use of uninitialized new Uint32Array object or member variables in PrintParams or m_pCurContex objects. A remote attacker can gain access to potentially sensitive information.

5) Out-of-bounds write (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information or execute arbitrary code on the target system.

The weakness exists due to incorrect memory allocation, memory commit, memory access or array access. A remote attacker can gain access to potentially sensitive information or execute arbitrary code on the target system.

Successful exploitation of the vulnerability may result in system compromise.

6) Type confusion (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to type confusion when executing certain XFA functions in crafted PDF files since the application can transform non-CXFA_Object to CXFA_Object without judging the data type and use the discrepant CXFA_Object to get layout object directly. A remote attacker can cause the service to crash or execute arbitrary code on the target system.

Successful exploitation of the vulnerability may result in system compromise.

7) Use-after-free error (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information, cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to use-after free error since the application can continue to traverse pages after the document has been closed or free certain objects repeatedly. A remote attacker can gain access to potentially sensitive information, cause the service to crash or execute arbitrary code on the target system.

Successful exploitation of the vulnerability may result in system compromise.

8) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information or execute arbitrary code on the target system.

The weakness exists due to improper information control. A remote attacker can abuse GoToE & GoToR Actions, gain access to potentially sensitive information or execute arbitrary code on the target system.

Successful exploitation of the vulnerability may result in system compromise.

9) Out-of-bounds read (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists the _JP2_Codestream_Read_SOT function due to improper information control when the application is not running in Safe-Reading-Mode. A remote attacker can gain access to potentially sensitive information.

10) Data handling (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper COM object handling when opening a PDF in a browser from Microsoft Word. A remote attacker can cause the service to crash.

11) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to users can embed executable files to PDF portfolio from within the application. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of the vulnerability may result in system compromise.

12) Timing attack (CVE-ID: CVE-2018-5675)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the OpenSSL RSA Key generation algorithm due to a cache timing side channel attack. A remote attacker with sufficient access to mount cache timing attacks during the RSA key generation process can recover the private key.

13) Use-after-free error (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

14) Access of uninitialized pointer (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to access of uninitialized pointer. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

15) Type confusion (CVE-ID: CVE-2018-7407)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

16) Improper validation of array index (CVE-ID: CVE-2018-7406)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to parsing validation indexing. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References