Rewterz Threat Advisory – New ‘Shadow Attack’ Manipulates Digitally Signed PDF Files

July 24, 2020

Severity

High

Analysis Summary

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others.

Academics have named this technique of forging documents a Shadow Attack. A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one. Because the layer was included in the original document that the victim signed, changing the layer’s visibility doesn’t break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions — such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses. According to the research team three variants of a Shadow Attack exist:

Hide — when attackers use the PDF standard’s Incremental Update feature to hide a layer, without replacing it with anything else.
Replace — when attackers use the PDF standard’s Interactive Forms feature to replace the original content with a modified value.
Hide-and-Replace — when attackers use a second PDF document contained in the original document to replace it altogether.

The Shadow Attack is currently tracked with the CVE-2020-9592 and CVE-2020-9596 identifiers.

Impact

Security Bypass
Data Manipulation

Affected Vendors

Adobe
Others

Affected Products

Adobe Acrobat and Reader versions 2020.006.20042 and earlier
2017.011.30166 and earlier
2015.006.30518 and earlier

Remediation

Update PDF viewer apps to latest versions.