Synopsis
A PDF toolkit installed on the remote Windows host is affected by multiple vulnerabilities.
Description
According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 7.3.4. It is, therefore, affected by multiple vulnerabilities :
- A use-after-free error exists that is triggered when handling FlateDecode streams. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to dereference already freed memory, resulting in a denial of service or the execution of arbitrary code.
(CVE-2016-4059)
- A use-after-free error exists that is related to the TimeOut() function. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to dereference already freed memory, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-4060)
- An unspecified flaw exists that is triggered when parsing content streams. An unauthenticated, remote attacker can exploit this to crash the application, resulting in a denial of service. (CVE-2016-4061)
- An unspecified flaw exists that is triggered when recursively triggering PDF format errors. An unauthenticated, remote attacker can exploit this to cause the application to stop responding, resulting in a denial of service. (CVE-2016-4062)
- A use-after-free error exists that is triggered when handling object revision numbers. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to dereference already freed memory, resulting in a denial of service or the execution of arbitrary code.
(CVE-2016-4063)
- A use-after-free error exists that is triggered when handling XFA re-layouts. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-4064)
- An out-of-bounds read error exists that is triggered when decoding BMP, GIF, and JPEG images during PDF conversion. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or cause a denial of service. (CVE-2016-4065)
- An unspecified use-after-free error exists that allows an unauthenticated, remote attacker to dereference already freed memory, resulting in a denial of service or the execution of arbitrary code.
- A use-after-free error exists that is triggered when handling JavaScript API calls when closing a document.
An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to dereference already freed memory, resulting in a denial of service or the execution of arbitrary code.
Solution
Upgrade to Foxit PhantomPDF version 7.3.4 or later.
Plugin Details
File Name: foxit_phantom_7_3_4.nasl
Agent: windows
Supported Sensors: Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:foxitsoftware:phantom, cpe:/a:foxitsoftware:phantompdf
Required KB Items: installed_sw/FoxitPhantomPDF
Exploit Ease: No known exploits are available
Patch Publication Date: 3/16/2016
Vulnerability Publication Date: 3/16/2016
Reference Information
CVE: CVE-2016-4059, CVE-2016-4060, CVE-2016-4061, CVE-2016-4062, CVE-2016-4063, CVE-2016-4064, CVE-2016-4065
ZDI: ZDI-16-211, ZDI-16-212, ZDI-16-213, ZDI-16-214, ZDI-16-215, ZDI-16-216, ZDI-16-217, ZDI-16-218, ZDI-16-219, ZDI-16-220, ZDI-16-221, ZDI-16-222