CVE-2024-5301
📋 TL;DR
A heap-based buffer overflow vulnerability in Kofax Power PDF's PSD file parser allows remote attackers to execute arbitrary code when a user opens a malicious PSD file or visits a malicious webpage. This affects users of Kofax Power PDF who process untrusted PSD files. Successful exploitation gives attackers control over the affected system.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Malware installation, credential theft, and persistence establishment on individual workstations where users open malicious PSD files.
If Mitigated
Limited to application crash or denial of service if exploit fails or security controls block execution.
🎯 Exploit Status
Exploitation requires user interaction but uses common heap overflow techniques. ZDI-CAN-22917 suggests detailed analysis exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kofax security advisory for specific patched version
Vendor Advisory: https://www.kofax.com/security-advisories
Restart Required: Yes
Instructions:
1. Check current Power PDF version
2. Visit Kofax support portal
3. Download and install latest security update
4. Restart system and verify update
🔧 Temporary Workarounds
Disable PSD file association
windowsRemove Power PDF as default handler for PSD files to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .PSD > Change program > Choose different application
Block PSD files at perimeter
allPrevent PSD files from entering network via email or web downloads
🧯 If You Can't Patch
- Implement application whitelisting to block Power PDF execution
- Use endpoint detection and response (EDR) to monitor for suspicious Power PDF behavior
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against Kofax security advisory. If using unpatched version and processes PSD files, system is vulnerable.Check Version:
In Power PDF: Help > About Power PDFVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version specified in Kofax advisory. Test with known safe PSD files.📡 Detection & Monitoring
Log Indicators:
- Power PDF crashes with PSD files
- Unusual process spawning from Power PDF
- Memory allocation errors in application logs
Network Indicators:
- Downloads of PSD files from untrusted sources
- Outbound connections from Power PDF process
SIEM Query:
Process:PowerPDF.exe AND (EventID:1000 OR ParentProcess:explorer.exe) AND FileExtension:.psd