Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered four remote code execution vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular program for reading and editing PDFs. The software supports
JavaScript to allow for interactive elements in PDF files — all of these vulnerabilities exist in the

JavaScript capabilities of the program. An attacker could exploit any of these bugs by tricking the user into opening a malicious PDF in Foxit PDF Reader.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Foxit PDF Reader JavaScript field action validate remote code execution vulnerability

(TALOS-2019-0915/CVE-2019-5126)

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Foxit PDF Reader JavaScript field action OnBlur remote code execution vulnerability (TALOS-2019-0920/CVE-2019-5131)

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Foxit PDF Reader JavaScript createTemplate invalid page code execution vulnerability (TALOS-2019-0935/CVE-2019-5130)

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Foxit PDF Reader JavaScript field keystroke action remote code execution vulnerability (TALOS-2019-0934/CVE-2019-5145)

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that these vulnerabilities affect version 9.7.0.29435 of Foxit PDF Reader.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52046, 52047, 51949 - 51952, 51737, 51738