CVE-2022-37381 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2022-37381?

CVE-2022-37381 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Reader's AFSpecial_KeystrokeEx method that allows remote attackers to execute arbitrary code. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. All users running vulnerable versions of Foxit PDF Reader are affected.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader's AFSpecial_KeystrokeEx method that allows remote attackers to execute arbitrary code. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages. All users running vulnerable versions of Foxit PDF Reader are affected.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: Versions prior to 12.0.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious PDF or visiting malicious page).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the compromised system.

🟢

If Mitigated

Limited impact with application crash or denial of service if exploit attempts are blocked by security controls.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious content is delivered. The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-17110).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.0.1 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download Foxit PDF Reader 12.0.1 or later from official Foxit website. 2. Run the installer. 3. Follow installation prompts. 4. Restart system if prompted.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

windows

Prevents exploitation by disabling JavaScript execution which is often used in PDF-based attacks

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

windows

Open PDFs in protected/sandboxed mode to limit potential damage

Open Foxit Reader > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Block PDF files from untrusted sources at network perimeter
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Open Foxit Reader > Help > About Foxit Reader. If version is below 12.0.1, system is vulnerable.

Check Version:

wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 12.0.1 or higher in Help > About Foxit Reader. Test with known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Application crashes in Foxit Reader logs
Unusual process creation from Foxit Reader
Memory access violation errors

Network Indicators:

Downloads of PDF files from suspicious sources
Outbound connections from Foxit Reader process

SIEM Query:

Process Creation where Image contains "foxit" and CommandLine contains ".pdf"

📊 Metadata

CVE ID: CVE-2022-37381

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1053/ Third Party Advisory,VDB Entry
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1053/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-37381, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Reader by Foxit

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

Use Protected View

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities