CVE-2023-37333
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PCX files in Kofax Power PDF. The flaw exists in PCX file parsing due to insufficient input validation, leading to memory corruption. Affected users are those running vulnerable versions of Kofax Power PDF on Windows systems.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, malware installation, or persistence mechanisms being established on the compromised system.
If Mitigated
Application crash or denial of service if memory corruption cannot be reliably exploited for code execution.
🎯 Exploit Status
Exploitation requires user interaction but no authentication. Memory corruption vulnerabilities can be complex to weaponize reliably across different environments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references; check Kofax advisory for exact version
Vendor Advisory: https://www.kofax.com/security/advisories (check for specific advisory)
Restart Required: Yes
Instructions:
1. Check current Power PDF version
2. Visit Kofax support portal for latest updates
3. Download and install the security update
4. Restart system if prompted
🔧 Temporary Workarounds
Disable PCX file association
windowsRemove or modify file association so PCX files don't open with Power PDF by default
Windows: Use 'Default Apps' settings or registry modification to change .pcx file association
Block PCX files at perimeter
allPrevent PCX files from entering the network via email or web gateways
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized PDF viewers from executing
- Use endpoint protection with memory corruption exploit prevention capabilities
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against Kofax security advisory. If version is older than patched version, system is vulnerable.Check Version:
In Power PDF: Help → About or check Windows Programs and Features for versionVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version from Kofax advisory. Test with known safe PCX files to ensure application stability.📡 Detection & Monitoring
Log Indicators:
- Application crashes of Power PDF when processing PCX files
- Unexpected child processes spawned from Power PDF
Network Indicators:
- Downloads of PCX files from untrusted sources
- Outbound connections from Power PDF process to suspicious IPs
SIEM Query:
Process creation where parent process contains 'powerpdf' AND (command line contains '.pcx' OR file extension is '.pcx')