CVE-2021-38570
📋 TL;DR
This vulnerability in Foxit Reader and PhantomPDF allows attackers to delete arbitrary files during uninstallation via symbolic link manipulation. It affects users running vulnerable versions of these PDF software applications on Windows systems. Attackers could exploit this to delete critical system or user files.
💻 Affected Systems
- Foxit Reader
- Foxit PhantomPDF
📦 What is this software?
Foxit Reader by Foxitsoftware
Phantompdf by Foxitsoftware
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical system files, causing system instability, data loss, or complete system compromise if key configuration files are removed.
Likely Case
Targeted deletion of user documents, configuration files, or application data leading to data loss and potential operational disruption.
If Mitigated
Limited impact with proper file permissions and user account controls, though local file deletion would still be possible.
🎯 Exploit Status
Exploitation requires local access, ability to create symbolic links, and triggering uninstallation process with prepared symlinks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.4 and later
Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php
Restart Required: Yes
Instructions:
1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 10.1.4 or higher.
🔧 Temporary Workarounds
Restrict Symbolic Link Creation
windowsConfigure Windows security policy to restrict who can create symbolic links
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Create symbolic links
Monitor Uninstallation Events
windowsSet up monitoring for Foxit uninstallation processes and file deletion events
🧯 If You Can't Patch
- Restrict user permissions to prevent creation of symbolic links in sensitive directories
- Implement application control policies to prevent unauthorized uninstallation attempts
🔍 How to Verify
Check if Vulnerable:
Check Foxit Reader/PhantomPDF version in Help -> About. If version is below 10.1.4, system is vulnerable.Check Version:
wmic product where "name like 'Foxit%'" get versionVerify Fix Applied:
Verify version is 10.1.4 or higher in Help -> About. Test that uninstallation no longer follows arbitrary symlinks.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Process creation for Foxit uninstaller
- Security logs: File deletion events from Foxit processes
- Application logs: Uninstallation events
Network Indicators:
- No network indicators - local exploitation only
SIEM Query:
source="windows" (process_name="Foxit*uninstall*" OR process_name="Foxit*setup*") AND (event_id="4663" OR event_id="4656")