Detections
Analytics

Foxit Reader < 7.3.0 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9467

Synopsis

The remote host has been observed running a version of Foxit Reader that is subject to multiple attack vectors.

Description

Versions of Foxit Reader prior to 7.3.0 are affected by the following vulnerbilities :

 - A use-after-free error exists that is triggered when parsing fonts. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling the 'global.setPersistent()' method. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling the 'WillClose' action. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A user-after-free condition exists that is triggered when handling PDF files containing images. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An integer overflow condition exists that is triggered when handling XFA 'FormCalc replace'. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An out-of-bounds access flaw exists that is triggered when handling JBIG2 content. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered when parsing PDF files with malformed images. This may allow a context-dependent attacker to crash the program.
 - An overflow condition exists in 'ConvertToPDF_x86.dll' that is triggered when converting BMP images. With a specially crafted image, a context-dependent attacker can cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
 - A use-after-free error exists related to improper use of the Gdiplus API. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists that is triggered when loading certain dynamic-link libraries including 'xpsp2res.dll' or 'phoneinfo.dll'. The program uses an insecure path to look for specific files or libraries that includes the current working directory, which may not be trusted or under user control. By placing a specially crafted library in the path and tricking a user into opening an unspecified file e.g. located on a remote WebDAV share, a context-dependent attacker can inject and execute arbitrary code with the privilege of the user running the program.

Solution

Upgrade Foxit Reader to version 7.3.0 or later.

See Also

https://www.foxitsoftware.com/support/security-bulletins.php#content-2016

Plugin Details

Severity: Critical

ID: 9467

Family: CGI

Published: 8/5/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:foxitsoftware:reader

Patch Publication Date: 1/20/2016

Vulnerability Publication Date: 1/20/2016