TALOS-2018-0626 / CVE-2018-3956 is an exploitable out-of-bounds read vulnerability which can disclose sensitive memory content and could be used, in conjunction with other vulnerabilities, to aid in full compromise.

A specially crafted PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0628
TALOS-2018-0628 references a total of six separate use-after-free vulnerabilities (CVE-2018-3957, CVE-2018-3958, CVE-2018-3959, CVE-2018-3960, CVE-2018-3961, CVE-2018-3962) found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0629
TALOS-2018-0629 / CVE-2018-3964 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages the invocation of the 'getPageNumWords' method of the active document with a crafted object as an argument.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0630
TALOS-2018-0630 / CVE-2018-3965 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.bookmarkRoot.children' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0631
TALOS-2018-0631 / CVE-2018-3966 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader which can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.dataObjects' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0632
TALOS-2018-0632 / CVE-2018-3967 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.event.target' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0660  
TALOS-2018-0660/CVE-2018-3992 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, it can also be triggered by visiting a malicious site.

As a complete feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0661  
TALOS-2018-0661/CVE-2018-3993 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, it can also be triggered by visiting a malicious site.

This particular vulnerability lies in the way optional content groups (OCG) are manipulated. Saving an OCG and then accessing it's properties after the document is closed can trigger a use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0662
TALOS-2018-0662/CVE-2018-3994 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

Calling `app.activeDocs[0].calculateNow()` while opening a page allocates an extra object on the heap. When the code in the open action for the whole document is executed, calling `app.activeDocs[0].importDataObject();` can then dereference a freed object, leading to use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0663  
TALOS-2018-0663/CVE-2018-3995 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at the precise moment after the document is closed can lead to use-after-free condition.

This particular vulnerability lies in saving a reference to the `SignatureInfo` object by invoking the `signatureInfo` method of a form field. When the document is closed, objects are freed and a use-after-free condition occurs if a stale reference is accessed. Full details of the vulnerability can be found here.

TALOS-2018-0664
TALOS-2018-0664/CVE-2018-3996 a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. A user could also trigger the vulnerability by visiting a malicious site while the browser plugin is enabled. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

This particular vulnerability lies in invoking `isDefaultChecked` method of a field object with crafted object as argument, which can trigger a use-after-free condition. Full details of the vulnerability can be found here.

TALOS-2018-0665
TALOS-2018-0665/CVE-2018-3997 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. A user could also trigger the vulnerability by visiting a malicious site while the browser plugin is enabled

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have Javascript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

If a reference to `SeedValue` object is saved by invoking `signatureGetSeedValue` method of a form field and the document is closed, objects are freed and accessing a stale reference results in a use-after-free condition. Full details of the vulnerability can be found here.

Coverage
The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 45158 - 45159, 45608 - 45609, 45652 - 45653, 45715 - 45716, 45823 - 45824, 46864 - 46865, 47727 - 47728