Cisco Talos researchers have discovered a security flaw in the paid software Nitro PDF Pro for Windows. Attackers could have misused it to execute code on other computers – provided that the victim opened a PDF file specially prepared for this purpose in a vulnerable PDF Pro version on the target computer.
The vulnerability with ID CVE-2021-21798 with a rating of “High” (CVSS score 8.8) is all Nitro PDF Pro versions up to and including 13.47 affected. An update to a newer version (currently loud Release notes overview of the manufacturer PDF Pro 220.127.116.113) protects against possible attacks that have probably not yet been observed.
Critical vulnerability fix: CVE-2018-1285
Of the Nitro Pro security update overview According to the release of version 18.104.22.1683, a second, older security hole was closed, which also affected Nitro PDF up to and including 13.47. CVE-2018-1285 was in third-party code, namely in Apache log4net, but it became already removed in September 2020. Apparently the Nitro development team has only now updated the outdated log4net code in their software.
The classification as “Critical” in NVD entry for CVE-2018-1285 underlines the importance of a timely PDF Pro update. According to the description, attackers could have carried out so-called XEE (XML external entity) attacks on the XML parser using prepared log4net configuration files. It remains to be seen what consequences such an attack could have in the case of Nitro Pro PDF. In general, however, XEE attacks can be used to provoke a crash (denial of service) or access sensitive document content.
Before performing the update, users should follow the instructions in the Security update overview make the preparations mentioned.