CVE-2022-28671 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2022-28671?

CVE-2022-28671 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Reader that allows remote attackers to execute arbitrary code. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. Users of Foxit PDF Reader 11.2.1.53537 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader that allows remote attackers to execute arbitrary code. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. Users of Foxit PDF Reader 11.2.1.53537 are affected.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: 11.2.1.53537 and earlier versions

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. User interaction required (opening malicious PDF or visiting malicious page).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution within the user context, enabling data exfiltration, malware installation, or persistence mechanisms.

🟢

If Mitigated

Application crash or denial of service if exploit fails, with potential for limited data exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction but no authentication. ZDI-CAN-16639 suggests active research/exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.2.2 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify update in Help > About.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript-based exploitation vectors

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Opens files in sandboxed mode

File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Temporarily switch to alternative PDF readers like Adobe Reader or browser-based viewers
Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 11.2.1.53537 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 11.2.2 or later in Help > About. Test with known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Application crashes of FoxitReader.exe
Unusual child processes spawned from Foxit Reader
Memory access violation errors in application logs

Network Indicators:

Unexpected outbound connections from Foxit Reader process
Downloads of PDF files from suspicious sources

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) OR parent_process:"FoxitReader.exe" AND process_creation

📊 Metadata

CVE ID: CVE-2022-28671

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 18, 2022

Last Updated: November 21, 2024

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-762/ Third Party Advisory,VDB Entry
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-762/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28671, you might also want to check these: