The Nitro PDF Pro has been found to have at least one vulnerability which could be used to perform remote code execution on the victim host. The vulnerabilities were discovered and disclosed by researchers at Cisco Talos in Nitro PDF Pro 220.127.116.112
This vulnerability which has a severity of 8.8 has no official patch from the developer available at the moment. It is possible to leverage it through a specially crafted PDF file opened with a vulnerable version of the software.
The customers of Nitro PDF’s developer include those companies from the enterprise world that are operating at a national or global scale, running its software as an alternative to Adobe Acrobat Pro.
Its customers include the Australian Pacific National rail freight operator, German automotive manufacturer Continental, Zebra Technologies (asset tracking solutions), T-Mobile Austria (telecom), Swiss Re (insurance), and JLL (property management).
Short-term fixes for the bugs
The bug which has been tracked as CVE-2019-5050, is part of a set of six vulnerabilities and resides in the PDF parsing functionality of the software. The issue can at least cause a crash but the researchers believe that, an attacker may be able to run arbitrary code on the system in the context of the current user.
Mitja Kolsek, CEO of Acros Security company behind the 0patch micropatch platform, found that the issue is also present in the latest release of Nitro PDF Pro, 18.104.22.168, which is available since September 27.
Micropatches are tiny pieces of code that focus only on the vulnerability that needs to be addressed in a software product. They are delivered through the 0Patch agent and do not require rebooting the system because they are applied in memory when the software is running.
Kolsek announced that a micropatch that blocks exploitation of CVE-2019-5050 is available and that it would be released on to the customers with a Pro license.
CVE-2019-5050 is the only security issue that is confirmed to impact the latest version of Nitro PDF Pro but Kolsek suspects that others might also. If so, then micropatches will be released for all six vulnerabilities.
A similar bug existed in Nitro PDF which was reported to Acros Security and Nitro Software around two years ago, but was never fixed and affects the current version of the product.
Cisco Talos initially sent a bug report to Nitro Software on May 7 but the company replied with an acknowledgment three months later,after a third followup message from the researchers.
Nitro Software stated that the previous emails might have gone to the spam folder. Similarly, the bug report received by Acros Security two years ago may also had the same problem, and this is considered to be a notable lapse for a vendor that provides solutions to large companies all over the globe.
According to Cisco’s vulnerability disclosure policy, a vendor has to fix the reported problems within 90 days. If the vendor failed to take the steps to mitigate the risks or did not respond to the report, the findings become public.
Nitro Software received a disclosure extension from Cisco Talos and informed that “issues will be addressed in a future release,” without providing a timeline.