Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in NitroPDF. Nitro PDF allows users to save, read, sign and edit PDF files on their machines. There are two versions of the product: a free and a paid version called “Pro.” The paid version offers several features the free one

does not, including the ability to combine multiple PDFs into one file and to redact sensitive information in the file. These bugs all exist in the Pro version of the software.

In accordance with Cisco's vulnerability disclosure policy, we are disclosing these vulnerabilities without a patch from NitroPDF due to the expiration of our 90-day deadline.

Vulnerability details NitroPDF jpeg2000 ssizDepth remote code execution vulnerability (TALOS-2019-0814/CVE-2019-5045)

A specifically crafted jpeg2000 file embedded in a PDF file can lead to a heap corruption when opening a PDF document in NitroPDF 12.12.1.522. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file.

Read the complete vulnerability advisory here for additional information.

NitroPDF Page Kids remote code execution vulnerability (TALOS-2019-0819/CVE-2019-5050)

A specifically crafted PDF file can lead to a heap corruption vulnerability when opened in NitroPDF, version 12.12.1.522. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file.

Read the complete vulnerability advisory here for additional information.

NitroPDF ICCBased color space remote code execution vulnerability (TALOS-2019-0817/CVE-2019-5048)

A specifically crafted PDF file can lead to a heap corruption when opened in NitroPDF 12.12.1.522. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file.

Read the complete vulnerability advisory here for additional information.

NitroPDF CharProcs remote code execution vulnerability (TALOS-2019-0816/CVE-2019-5047)

An exploitable use-after-free vulnerability exists in the CharProcs-parsing function of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a use after free. An attacker can craft a malicious PDF to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

NitroPDF jpeg2000 yTsiz remote code execution vulnerability (TALOS-2019-0815/CVE-2019-5046)

A specifically crafted jpeg2000 file embedded in a PDF file can lead to a heap corruption when opening a PDF document in NitroPDF 12.12.1.522. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file.

Read the complete vulnerability advisory here for additional information.

NitroPDF stream length memory corruption vulnerability (TALOS-2019-0830/CVE-2019-5053)

An exploitable use-after-free vulnerability exists in the Length parsing function of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a use-after-free condition. An attacker can craft a malicious PDF to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that version NitroPDF, version 12.12.1.522 is affected by these vulnerabilities.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49906 - 49911, 49948 - 49950