CVE-2022-24365 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2022-24365?

CVE-2022-24365 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Reader's AcroForms handling that allows remote code execution. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. Affects Foxit PDF Reader users running vulnerable versions.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader's AcroForms handling that allows remote code execution. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. Affects Foxit PDF Reader users running vulnerable versions.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: 11.1.0.52543 and earlier versions

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware installation on the affected system, with potential for credential harvesting and persistence.

🟢

If Mitigated

Limited impact if executed in sandboxed environment or with restricted user privileges, though data exfiltration remains possible.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file/website) but PDF readers are commonly used and targeted.

🏢 Internal Only: MEDIUM - Internal phishing campaigns could exploit this, but requires user interaction and specific software version.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious PDF is opened. ZDI-CAN-15852 indicates professional vulnerability research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.1 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript execution in PDFs which may mitigate some exploitation vectors

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open PDFs in protected/sandboxed mode to limit potential damage

File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Restrict PDF file handling to alternative PDF readers that are not vulnerable
Implement application whitelisting to block execution of Foxit Reader until patched

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Open Foxit Reader > Help > About Foxit Reader. If version is 11.1.0.52543 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 11.1.1 or later in Help > About Foxit Reader. Test opening known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected Foxit Reader crashes
Process spawning from Foxit Reader
Suspicious file access patterns from Foxit process

Network Indicators:

Foxit Reader making unexpected outbound connections
DNS requests to suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2022-24365

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.foxit.com/support/security-bulletins.html Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-276/ Third Party Advisory,VDB Entry
https://www.foxit.com/support/security-bulletins.html Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-276/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24365, you might also want to check these: