CVE-2023-37345
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious J2K files in Kofax Power PDF. The flaw exists in J2K file parsing where improper data validation leads to out-of-bounds writes. Users of affected Kofax Power PDF versions are at risk.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the PDF application user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or system compromise when users open malicious J2K files from untrusted sources.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only crashing the PDF application.
🎯 Exploit Status
Requires user interaction (opening malicious file) but exploitation is straightforward once the file is opened. ZDI has confirmed the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version from vendor (check specific version in vendor advisory)
Vendor Advisory: https://docshield.kofax.com/PowerPDF/en_US/4.0.0-4.0.1/wwhelp/wwhimpl/js/html/wwhelp.htm#href=ReleaseNotes.04.1.html
Restart Required: Yes
Instructions:
1. Check current Power PDF version. 2. Download latest version from Kofax website. 3. Install update. 4. Restart system. 5. Verify update applied successfully.
🔧 Temporary Workarounds
Disable J2K file association
windowsRemove file association for .j2k/.jp2 files to prevent automatic opening in Power PDF
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .j2k/.jp2 > Change program > Choose different application
Application control policy
windowsBlock Power PDF from executing or restrict to trusted directories only
🧯 If You Can't Patch
- Implement application whitelisting to block Power PDF execution
- Use email/web filtering to block J2K file attachments and downloads
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against vendor advisory. If using affected version and can open J2K files, system is vulnerable.Check Version:
Open Power PDF > Help > About Power PDFVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version in vendor advisory. Test that J2K files can no longer trigger the vulnerability.📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs with memory access violations
- Unexpected child processes spawned from Power PDF
Network Indicators:
- Unusual outbound connections from Power PDF process
SIEM Query:
Process creation where parent process contains 'PowerPDF' AND (command line contains '.j2k' OR '.jp2')