CVE-2023-37341
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PNG files in Kofax Power PDF. The flaw exists in PNG file parsing where improper data validation leads to buffer overflow. All users running affected versions of Kofax Power PDF are at risk.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, installation of persistent malware, or use as initial access point for broader network attacks.
If Mitigated
Limited impact with application crash or denial of service if exploit fails, but no code execution due to security controls.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is in PNG parsing which is commonly exploited. ZDI has published details but no public PoC.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kofax security advisory for specific patched version
Vendor Advisory: https://docshield.kofax.com/PowerPDF/en_US/5.0.0-5.0.0.10/wwhelp/wwhimpl/js/html/wwhelp.htm#href=ReleaseNotes.05.00.html
Restart Required: Yes
Instructions:
1. Check current Power PDF version. 2. Visit Kofax support portal. 3. Download and install latest security update. 4. Restart system. 5. Verify update applied successfully.
🔧 Temporary Workarounds
Disable PNG file handling
windowsRemove PNG file association with Kofax Power PDF to prevent automatic opening
Control Panel > Default Programs > Set Associations > Remove .png association with Power PDF
Application control policy
windowsBlock execution of Power PDF via application whitelisting
🧯 If You Can't Patch
- Implement strict email filtering to block PNG attachments
- Deploy endpoint protection with memory protection and exploit mitigation
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against Kofax security advisory. Versions before the patched release are vulnerable.Check Version:
In Power PDF: Help > About Power PDFVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version in vendor advisory. Test with known safe PNG files.📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs with memory access violations
- Unexpected child processes spawned from Power PDF
- Abnormal network connections from Power PDF process
Network Indicators:
- Outbound connections from Power PDF to unknown IPs
- DNS requests for suspicious domains from PDF process
SIEM Query:
Process Creation where (Image contains 'powerpdf.exe' AND ParentImage contains 'explorer.exe') OR (Image contains 'cmd.exe' AND ParentImage contains 'powerpdf.exe')