CVE-2024-5303
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PSD files in Kofax Power PDF. The flaw exists in PSD file parsing where improper data validation leads to buffer overflow. All users running vulnerable versions of Kofax Power PDF are affected.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local user account compromise on the affected system, with potential for privilege escalation and installation of persistent malware.
If Mitigated
Application crash or denial of service if exploit fails, with potential for limited data exposure.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is documented by ZDI with advisory ZDI-24-548.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version from vendor (specific version not specified in references)
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-548/
Restart Required: Yes
Instructions:
1. Check current Power PDF version. 2. Download and install latest update from Kofax official website. 3. Restart system after installation. 4. Verify update applied successfully.
🔧 Temporary Workarounds
Disable PSD file association
windowsRemove Power PDF as default handler for PSD files to prevent automatic opening
Control Panel > Default Programs > Set Associations > Remove .psd from Power PDF
Block PSD files at perimeter
allPrevent PSD files from entering the network via email or web downloads
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executables from running
- Use least privilege accounts for PDF viewing and disable macros/scripting in PDF settings
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against vendor's patched version list. Open Power PDF > Help > About to see current version.Check Version:
Not applicable - check via GUI: Help > About in Power PDF applicationVerify Fix Applied:
Confirm version number matches or exceeds patched version from vendor advisory. Test with known safe PSD files.📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs with memory access violations
- Unexpected child processes spawned from Power PDF
- Network connections from Power PDF to suspicious IPs
Network Indicators:
- PSD file downloads from untrusted sources
- Unusual outbound connections after PSD file opening
SIEM Query:
Process Creation where Parent Process contains 'PowerPDF' AND (Command Line contains '.psd' OR Image contains suspicious patterns)