Vulnerability Spotlight: Memory corruption and use-after-free vulnerabilities in Foxit PDF Reader

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered a memory corruption and use-after-free vulnerability in the Foxit PDF Reader.  

Foxit PDF Reader is one of the most popular PDF document readers currently available. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. These vulnerabilities could be triggered if an attacker tricks a user into opening a specially crafted, malicious PDF file, or open the file in a browser that has a PDF reader plugin installed.

TALOS-2021-1429 (CVE-2021-40420) exists in the JavaScript engine of Foxit PDF Reader and could trigger the reuse of previously freed memory, which can lead to arbitrary code execution. TALOS-2022-1439 (CVE-2022-22150) is a similar vulnerability, though instead of a use-after-free condition, it leads to memory corruption and arbitrary code execution. Cisco Talos worked with Foxit to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. 

Users are encouraged to update Foxit Reader 11.1.0.52543 as soon as possible. Talos tested and confirmed this version of the PDF Reader could be exploited by this vulnerability. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 58818, 58819, 58897 and 58898. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.