CVE-2023-37354
📋 TL;DR
This vulnerability in Kofax Power PDF allows remote attackers to execute arbitrary code by tricking users into opening malicious PNG files. The flaw exists in PNG parsing where improper data validation leads to out-of-bounds reads. Affected users are anyone running vulnerable versions of Kofax Power PDF who open untrusted PDF files.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the PDF viewer process, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious code execution within the PDF application context, allowing file system access, credential harvesting, and persistence mechanisms.
If Mitigated
Application crash or denial of service if exploit fails, with potential data loss from corrupted files.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is in PNG parsing within PDF files, making weaponization likely through phishing or malicious websites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kofax security advisory for specific patched version
Vendor Advisory: https://docshield.kofax.com/PowerPDF/en_US/5.5.0-d3s176i9m5/help/Online/Content/ReleaseNotes/ReleaseNotes.htm
Restart Required: Yes
Instructions:
1. Open Kofax Power PDF
2. Navigate to Help > Check for Updates
3. Follow prompts to download and install latest version
4. Restart application and system if prompted
🔧 Temporary Workarounds
Disable PNG file processing
windowsConfigure PDF viewer to block PNG image processing or use alternative PDF viewer
Application control policies
windowsImplement application whitelisting to prevent unauthorized PDF viewers
🧯 If You Can't Patch
- Implement strict email filtering to block PDF attachments with embedded PNG files
- Train users to never open PDF files from untrusted sources and use sandboxed PDF viewers
🔍 How to Verify
Check if Vulnerable:
Check Kofax Power PDF version against vendor advisory. Versions prior to patched release are vulnerable.Check Version:
In Kofax Power PDF: Help > About Power PDFVerify Fix Applied:
Verify installed version matches or exceeds patched version specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected child processes spawned from PDF viewer
- Suspicious network connections originating from PDF application
Network Indicators:
- Outbound connections from PDF viewer to unknown IPs
- DNS requests for suspicious domains after PDF file opens
SIEM Query:
Process creation where parent process contains 'powerpdf' AND (command line contains '.png' OR memory allocation errors detected)