CVE-2024-30373
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JPF files in Kofax Power PDF. The flaw exists in JPF file parsing where improper data validation leads to out-of-bounds writes. All users of affected Kofax Power PDF versions are at risk.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, installation of persistent malware, or credential harvesting from the compromised system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than full code execution.
🎯 Exploit Status
Exploitation requires user interaction but no authentication; technical details suggest reliable exploitation is feasible
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references; check Kofax security advisory for exact version
Vendor Advisory: https://docshield.kofax.com/PowerPDF/en_US/5.5.0-d3ps5g6v25/print/ReadMe.htm
Restart Required: Yes
Instructions:
1. Check current Power PDF version
2. Visit Kofax support portal
3. Download and install latest security update
4. Restart system
🔧 Temporary Workarounds
Disable JPF file association
windowsRemove JPF file type association with Power PDF to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jpf > Change program > Choose different application
Application sandboxing
windowsRun Power PDF in restricted environment using application control solutions
🧯 If You Can't Patch
- Implement strict email filtering to block JPF attachments
- Deploy endpoint detection with behavioral analysis for suspicious PDF reader activity
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against Kofax security advisory; versions before latest patch are vulnerableCheck Version:
Open Power PDF > Help > About Power PDFVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version specified in Kofax advisory📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs with memory access violations
- Unexpected child processes spawned from Power PDF
Network Indicators:
- Unusual outbound connections from Power PDF process
- DNS queries to suspicious domains after JPF file opening
SIEM Query:
Process Creation where (Image contains 'powerpdf.exe' and CommandLine contains '.jpf') OR (ParentImage contains 'powerpdf.exe' and not Image contains expected child processes)