CVE-2020-27249 – This heap-based buffer overflow vulnerability i... (How to Fix)

Q: What is the severity of CVE-2020-27249?

CVE-2020-27249 has a CVSS score of 7.8 (HIGH). This heap-based buffer overflow vulnerability in SoftMaker Office PlanMaker 2021 allows attackers to execute arbitrary code by tricking victims into opening specially crafted documents. The vulnerability affects users of PlanMaker 2021 revision 1014 who open malicious documents. Successful exploitation could lead to complete system compromise.

📋 TL;DR

This heap-based buffer overflow vulnerability in SoftMaker Office PlanMaker 2021 allows attackers to execute arbitrary code by tricking victims into opening specially crafted documents. The vulnerability affects users of PlanMaker 2021 revision 1014 who open malicious documents. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

SoftMaker Office PlanMaker 2021

Versions: Revision 1014

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects document parser handling record types 0x0004 and 0x0015. All installations with vulnerable revision are affected regardless of configuration.

📦 What is this software?

Planmaker 2021 by Softmaker

View all CVEs affecting Planmaker 2021 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Arbitrary code execution with user privileges, potentially leading to data exfiltration, credential theft, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper application sandboxing, limited user privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening document) but documents can be delivered via email, web downloads, or file sharing services.

🏢 Internal Only: HIGH - Internal users frequently exchange documents, making social engineering attacks effective within organizations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires user to open malicious document but no authentication needed. Public PoC available from Talos Intelligence.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Revision 1016 or later

Vendor Advisory: https://www.softmaker.com/en/security-advisory

Restart Required: No

Instructions:

1. Open SoftMaker Office. 2. Go to Help > Check for Updates. 3. Install available updates. 4. Verify version is revision 1016 or higher.

🔧 Temporary Workarounds

Disable PlanMaker file associations

all

Prevent .pmd/.pmdx files from automatically opening in PlanMaker

Windows: assoc .pmd=
Windows: assoc .pmdx=
Linux: update-mime-database
macOS: Get Info on file > Change Open With

Application sandboxing

all

Run PlanMaker in restricted environment

Windows: AppLocker rules
Linux: Firejail firejail planmaker
macOS: Sandbox-exec

🧯 If You Can't Patch

Block PlanMaker documents at email gateways and web proxies
Implement least privilege: Run PlanMaker with standard user accounts, not administrator

🔍 How to Verify

Check if Vulnerable:

Open PlanMaker, go to Help > About, check if revision is 1014

Check Version:

Windows: wmic product where name="SoftMaker Office PlanMaker 2021" get version
Linux: dpkg -l | grep softmaker
macOS: mdls -name kMDItemVersion /Applications/SoftMaker\ Office\ 2021/PlanMaker.app

Verify Fix Applied:

Confirm revision is 1016 or higher in Help > About dialog

📡 Detection & Monitoring

Log Indicators:

Process crashes of planmaker.exe
Unusual document file access patterns
Suspicious child processes spawned from PlanMaker

Network Indicators:

Unexpected outbound connections from PlanMaker process
DNS requests for suspicious domains after document opening

SIEM Query:

process_name="planmaker.exe" AND (event_id=1000 OR child_process_creation!=null)

📊 Metadata

CVE ID: CVE-2020-27249

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: February 4, 2021

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1210 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1210 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27249, you might also want to check these: