The new Nitro PDF Pro version has at least one flaw that could be used to execute remote code on the victim’s host. A third party patch is on its way.
For this safety bug, a official fix from the developer is not available, with a severity score of 8.8 out of 10. Leverage can be achieved via a specially crafted PDF file that is opened with a vulnerable software version.
The maker of Nitro PDF has a customer base primarily from the corporate world. National or global corporations are listed with their applications as an alternative to Adobe Acrobat Pro.
Customers include the Australian Pacific National rail freight provider, Continental, Zebra Technologies (activity tracking solutions), T-Mobile Austria (telecommunications), Swiss Re (insurance), and JLL (company management).
Temporary patches for seven bugs
Tracked as CVE-2019-5050, the vulnerability is a collection of six vulnerabilities discovered by Cisco Talos researcher and disclosed earlier this week in Nitro PDF Pro 22.214.171.1242. It resides in the software’s PDF parsing functionality.
At least the issue leads to a crash, but the researchers believe that an attacker could run arbitrary code on the device within the scope of the current user with a small amount of effort.
Mitja Kolsek, the head of Acros Security’s 0patch micropatch platform company, found that the problem is also on the latest Nitro PDF Pro release, 126.96.36.199.
Micropatches are small pieces of code that focus only on the bug that a software product needs to fix. We are sent via the 0Patch agent and don’t need to restart the process because the code is in memory.
On Friday, Kolsek announced the availability of a Micropatch candidate blocking CVE-2019-5050. He told that it would be published to customers with a Pro license on Monday.
The CVE-2019-5050 is the only safety issue found by researchers from Cisco Talos, confirmed the impact of the latest Nitro PDF Pro version, but Kolsek suspects others as well. If this is the case, micropatches for all six vulnerabilities will be issued.
There is a similar bug identified about two years ago to Acros Security and Nitro Software; it never was patched and affects the latest version of the product.
“We made it an exercise in micropatching but didn’t want to publish a patch because the 0day wasn’t publicly known and we’d effectively reveal it through our patch.” – Mitja Kolsek
Nevertheless, with six bugs released publicly, one more will make no difference so 0Patch will also distribute a micropatch.
Spam swallowed surveillance documents
Cisco Talos initially sent Nitro Software a bug report on May 7, but the company responded three months later, August 7, following a third follow-up email from the researchers.
The long silence was caused by Nitro Software by claiming that previous emails went to the spam folder. The error report Acros Security received two years ago may have the same fate, but this in itself reflects a remarkable lag for a retailer that offers solutions to big companies worldwide.
According to the vulnerability information policy of Cisco, a seller has 90 days to fix the reported problems. If the vendor failed to mitigate the risk or did not respond to the report after this period, the findings will be made public.
Nitro Software has provided a release extension from Cisco Talos and has told that, without specifying a timetable, “things will be resolved in a future release.”
If Nitro PDF Pro receives official vulnerability fixes, it would be the first protection update in nearly two years. On 17 November 2017, the last security fixes were for the 11.x and 10.x branches of the software.