CVE-2023-37335
📋 TL;DR
A heap-based buffer overflow vulnerability in Kofax Power PDF's BMP file parser allows remote attackers to execute arbitrary code when a user opens a malicious BMP file or visits a malicious webpage. This affects users of Kofax Power PDF who process untrusted BMP files. The vulnerability requires user interaction to trigger.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, malware installation, or persistence mechanisms being established on the compromised system.
If Mitigated
Application crash (denial of service) if exploit fails or is blocked by security controls, with potential data loss in open documents.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is in a common file format parser, making weaponization likely despite no public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kofax advisory for specific patched version
Vendor Advisory: https://docshield.kofax.com/PowerPDF/en_US/5.5.0-d3ps28gq5a/print/ReadMe.htm
Restart Required: Yes
Instructions:
1. Open Kofax Power PDF
2. Navigate to Help > Check for Updates
3. Follow prompts to install latest version
4. Restart application and system if required
🔧 Temporary Workarounds
Disable BMP file association
windowsRemove Kofax Power PDF as default handler for .bmp files to prevent automatic opening
Control Panel > Default Programs > Set Default Programs > Select Kofax Power PDF > Choose defaults for this program > Uncheck .bmp
Block BMP files at perimeter
allConfigure email/web gateways to block .bmp attachments and downloads
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized PDF viewers from executing
- Use endpoint protection with memory protection features enabled
🔍 How to Verify
Check if Vulnerable:
Check Kofax Power PDF version against patched version in vendor advisoryCheck Version:
In Kofax Power PDF: Help > AboutVerify Fix Applied:
Verify installed version matches or exceeds patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected child processes spawned from PDF viewer
Network Indicators:
- Outbound connections from PDF viewer to unexpected destinations
- DNS requests for suspicious domains after file open
SIEM Query:
Process creation where parent process contains 'powerpdf' AND (command line contains '.bmp' OR memory allocation anomalies detected)