CVE-2021-45979 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-45979?

CVE-2021-45979 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on macOS systems running vulnerable versions of Foxit PDF Reader and PDF Editor. Attackers can exploit the app.launchURL function in the JavaScript API to run malicious commands. Users of Foxit PDF software on macOS before version 11.1 are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on macOS systems running vulnerable versions of Foxit PDF Reader and PDF Editor. Attackers can exploit the app.launchURL function in the JavaScript API to run malicious commands. Users of Foxit PDF software on macOS before version 11.1 are affected.

💻 Affected Systems

Products:

Foxit PDF Reader
Foxit PDF Editor

Versions: All versions before 11.1

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS versions of Foxit software. Windows and other platforms are not vulnerable to this specific CVE.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the macOS system, installing malware, stealing data, and using the system as a pivot point for further attacks.

🟠

Likely Case

Remote code execution leading to malware installation, data theft, or ransomware deployment on the affected macOS system.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the exploit to the application context.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening a malicious PDF), but PDFs are commonly shared via email and web, making exposure likely.

🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious PDFs in phishing campaigns or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists on GitHub. Exploitation requires user to open a malicious PDF document but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader/Editor. 2. Go to Help > Check for Updates. 3. Follow prompts to update to version 11.1 or later. 4. Restart the application after update completes.

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents exploitation by disabling JavaScript execution in PDF documents

1. Open Foxit PDF Reader/Editor
2. Go to Preferences > Security
3. Uncheck 'Enable JavaScript'
4. Click OK and restart application

Use Alternative PDF Viewer

macOS

Temporarily use macOS Preview or other PDF viewers until patched

Right-click PDF file > Open With > Choose Preview or other non-Foxit viewer

🧯 If You Can't Patch

Implement application whitelisting to block execution of unauthorized binaries
Restrict user privileges to standard user accounts (not admin) to limit exploit impact

🔍 How to Verify

Check if Vulnerable:

Check Foxit version: Open Foxit > Help > About Foxit Reader/Editor. If version is below 11.1, system is vulnerable.

Check Version:

On macOS terminal: mdls -name kMDItemVersion /Applications/Foxit\ PDF\ Reader.app

Verify Fix Applied:

Verify version is 11.1 or higher in About dialog. Test with known safe PDF containing JavaScript to ensure functionality is maintained.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawning from Foxit processes
JavaScript execution errors in Foxit logs
Network connections initiated by Foxit to unexpected destinations

Network Indicators:

Outbound connections from Foxit process to unknown IPs/domains
DNS requests for suspicious domains from user workstations

SIEM Query:

process_name:"Foxit" AND (process_command_line:"launchURL" OR parent_process_name:"Foxit")

📊 Metadata

CVE ID: CVE-2021-45979

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/dlehgus1023 Third Party Advisory
https://github.com/dlehgus1023/CVE/tree/master/CVE-2021-45979 Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://github.com/dlehgus1023 Third Party Advisory
https://github.com/dlehgus1023/CVE/tree/master/CVE-2021-45979 Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45979, you might also want to check these: