Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple use-after-free vulnerabilities in the Foxit PDF Reader.

Foxit PDF Reader is one of the most popular PDF document readers currently available. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms.

TALOS-2021-1294 (CVE-2021-21831), TALOS-2021-1307 (CVE-2021-21870) and TALOS-2021-1336 (CVE-2021-21893) are all use-after-free vulnerabilities that exist in the PDF Reader that could lead to an adversary gaining the ability to execute arbitrary code on the victim machine. An attacker needs to trick a user into opening a specially crafted, malicious PDF to exploit these vulnerabilities.

Cisco Talos worked with Foxit to ensure that that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update Foxit Reader 11.0.0.49893 as soon as possible. Talos tested and confirmed this version of the PDF Reader could be exploited by this vulnerability.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 56122, 56123, 57479, 57480, 57830 and 57831. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.