• Commander Saini

PDF encryption is broken - PDFex

Researchers from Germany have discovered two new vulnerabilities in PDF encryption mechanism ( not the algorithm). They have proven to BSI-CERT that it is possible to open an encrypted PDF file without having a public key and even change its content. And they also proved that the content of a digitally signed PDF can be changed without invalidating the digital signature. As a proof of concept, they changed the value of Amazon digitally signed invoice to 1 Trillion US Dollar.

To measure the impact of the vulnerabilities in the PDF specification, they analyzed 27 widely used PDF viewers and found 23 of them (85%) to be vulnerable to direct exfiltration attacks and all of them to be vulnerable to CBC gadgets.

For digital signature vulnerability, they identified 21 out of 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of their attacks. For the digital signature attack, CVEs are CVE-2018-16042, CVE-2018-18688 and CVE-2018-18689. For details read PDFex Report