Code Execution Vulnerabilities Discovered in Nitro Pro PDF Reader

• Cisco Talos found two important Javascript vulnerabilities in the Nitro Pro PDF reader.
• The vulnerabilities allow for malicious script execution through loopholes and could lead to user data compromise.
• Nitro Pro PDF's team is working towards releasing a fix patch, but it isn't out yet.

Cisco Talos has declared that their team found two noticeable cybersecurity vulnerabilities in the Nitro Pro PDF Reader versions 13.31.0.605 and 13.33.2.645. The security vulnerabilities have to do with specially crafted documents exploiting JavaScript timeout objects and with reusing a document path even after it is destroyed.

The flaws, along with a short description, are the following:

• CVE-2021-21796: A Javascript vulnerability allowing of reuse of destroyed document directory paths, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. 
• CVE-2021-21797: A Javascript timeout object stored at different drive locations. The threat lies in malicious code execution upon document closing leading to compromised user data.

The Cisco Talos Nitro Pro PDF JavaScript local_file_path Object use-after-free vulnerability test report details the CVE-2021-21796 vulnerability. In this case, a specially crafted document with an embedded malicious script launches an attack by reusing its directory path even after being destroyed. This potentially compromises user data after the malicious code is executed.

The Cisco Talos’ Nitro Pro PDF JavaScript Timeout test report details the first of the vulnerabilities mentioned above, CVE-2021-21797. It explains that this vulnerability allows for storing a timeout object at different paths. If a hacker convinces a user to open the doc, then its coded timeout object will be stored in different places and executed upon the document’s closing.

Cisco Talos has relayed these discovered vulnerabilities to Nitro, and the company is working towards releasing a patch for addressing these issues. Users can also avoid opening a malicious PDF by simply turning off JavaScript use in Nitro PDF Reader’s settings.

Last year, researchers from the Cisco Talos security team discovered four remote code execution (RCE) vulnerabilities in another PDF reader, a popular freemium alternative to Adobe Reader called Foxit.