CVE-2024-5512
📋 TL;DR
This vulnerability in Kofax Power PDF allows attackers to read memory beyond allocated boundaries when parsing malicious JP2 files, potentially disclosing sensitive information. Users who open malicious PDF files or visit malicious web pages are affected. Attackers could combine this with other vulnerabilities to execute arbitrary code.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary code execution in the context of the current user, leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Information disclosure through memory reads, potentially exposing sensitive data like passwords, keys, or document contents.
If Mitigated
Limited information disclosure with no code execution if proper sandboxing and memory protections are in place.
🎯 Exploit Status
Requires user to open malicious file. Combined with other vulnerabilities for code execution. ZDI-CAN-22021 suggests coordinated disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kofax security advisory for specific patched version
Vendor Advisory: https://www.kofax.com/security/advisories (check for specific advisory)
Restart Required: Yes
Instructions:
1. Check current Power PDF version. 2. Visit Kofax support portal. 3. Download and install latest security update. 4. Restart system if prompted.
🔧 Temporary Workarounds
Disable JP2 file processing
windowsPrevent Power PDF from opening JP2 files by modifying file associations or using application controls.
Use Windows Group Policy or registry to modify file associations for .jp2 files
User awareness training
allEducate users not to open JP2 files from untrusted sources.
🧯 If You Can't Patch
- Implement application whitelisting to block Power PDF execution
- Use email/web filtering to block JP2 file attachments and downloads
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against Kofax security advisory. If using vulnerable version and JP2 files are processed, system is vulnerable.Check Version:
Open Power PDF → Help → About (or check installed programs in Control Panel)Verify Fix Applied:
Verify Power PDF version is updated to patched version specified in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs
- Unexpected memory access errors in application logs
- Security software alerts for memory corruption
Network Indicators:
- Downloads of JP2 files from suspicious sources
- Unusual outbound connections after opening PDF files
SIEM Query:
EventID for application crashes OR file extension .jp2 in download/email logs