Threat Research

Fortinet Security Researcher Discovers Multiple Vulnerabilities Across Multiple Corel Products

By Kushal Arvind Shah | September 30, 2021

FortiGuard Labs Threat Research Report

Affected platforms: Windows 10.
Impacted parties:    Users of Corel PDF Fusion version 2.6.2.0.
                                  Users of CorelDraw Standard 2020 versions 22.0.0.474.
                                  Users of Corel WordPerfect 2020 version 20.0.0.200.
                                  Users of Corel PhotoPaint Standard 2020 version 22.0.0.474.
                                  Users of Corel Presentations 2020 version 20.0.0.200. 
Impact:                     Multiple vulnerabilities leading to arbitrary code execution and information leaks 
Severity level:          Critical

On March 4th, 2021, I discovered and reported multiple (15) zero-day vulnerabilities related to several Corel products. After responding in April, Corel requested an extension to our standard 90-day publication policy to August 1st to remediate these issues. FortiGuard Labs agreed to extend the timing of their disclosure. As this date has now passed without further communications, we are releasing the related Security Advisories for these vulnerabilities. They are identified as: 

CVE-2021-38096
CVE-2021-38097
CVE-2021-38098
CVE-2021-38099
CVE-2021-38100
CVE-2021-38101
CVE-2021-38102
CVE-2021-38103
CVE-2021-38104
CVE-2021-38105
CVE-2021-38106
CVE-2021-38107
CVE-2021-38108
CVE-2021-38109
CVE-2021-38110

Each of these vulnerabilities has a different root cause related to Corel products and plugins. We recommend that users exercise caution when opening files from unknown sources and update their systems once Corel releases patches for these vulnerabilities.

Following are some details on these vulnerabilities. More information can be found on the related Fortinet Zero-Day Advisory pages by clicking on the CVE links below:

CVE-2021-38096:

This Memory Corruption Vulnerability exists in the Corel PDF Fusion ‘coreip.dll’ dynamic library. Specifically, this vulnerability is caused by a malformed PDF file, which causes an Out-of-Bounds Write memory access due to improper bounds checking when manipulating a pointer to an allocated buffer. 

Attackers can exploit the vulnerability by using the out-of-bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted PDF file.

Fortinet released the IPS signature Corel.PDF.Fusion.CVE-2021-38096.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38097

This Memory Corruption Vulnerability exists in the decoding of PDF files in Corel PDF Fusion. Specifically, this vulnerability is caused by a malformed PDF file which causes Out-of-Bounds memory access due to improper bounds check. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted PDF file.

Fortinet released the IPS signature Corel.PDF.Fusion.CVE-2021-38097.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38098

This Heap Memory Corruption Vulnerability exists in the decoding of PDF files in Corel PDF Fusion. Specifically, this vulnerability is caused by a malformed PDF file, which causes an Out-of-Bounds heap memory access due to an improper bounds check. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted PDF file.

Fortinet released the IPS signature Corel.PDF.Fusion.CVE-2021-38098.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38101

This Memory Corruption Vulnerability exists in the decoding of CPT files in Corel PhotoPaint Standard 2020. Specifically, the vulnerability is caused by a malformed CPT file, which causes an Out-of-Bounds Write memory access due to improper bounds check. This specific vulnerability exists in the ‘CDRRip’ dynamic library. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended writes or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted CPT file.

Fortinet released the IPS signature Corel.PhotoPaint.CVE-2021-38101.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38100

This Memory Corruption Vulnerability exists in the decoding of CPT files in Corel PhotoPaint Standard 2020. Specifically, this vulnerability is caused by a malformed CPT file, which causes Out-of-Bounds memory access due to an improper bounds check. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended writes or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted CPT file.

Fortinet released the IPS signature Corel.PhotoPaint.CVE-2021-38100.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38099

This Memory Corruption Vulnerability exists in the decoding of CPT files in Corel PhotoPaint Standard 2020. Specifically, this vulnerability is caused by a malformed CPT file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘CDRRip’ dynamic library. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted CPT file.

Fortinet released the IPS signature Corel.PhotoPaint.CVE-2021-38099.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38103

This Memory Corruption Vulnerability exists in the decoding of PPT files in Corel Presentations 2020. Specifically, this vulnerability is caused by a malformed PPT file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘IBJPG2.FLT’ plugin. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted PPT file.

Fortinet released the IPS signature Corel.Presentations.CVE-2021-38103.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38104:

 This Memory Corruption Vulnerability exists in the decoding of PPT files in Corel Presentations 2020. Specifically, this vulnerability is caused by a malformed PPT file, which causes Out-of-Bounds memory access due to improper bounds check. This specific vulnerability exists in the ‘IPPP72.FLT’ plugin. 

Attackers can exploit this vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted PPT file.

Fortinet released the IPS signature Corel.Presentations.CVE-2021-38104.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38105

This Memory Corruption Vulnerability exists in the decoding of PPT files in Corel Presentations 2020. Specifically, this vulnerability is caused by a malformed PPT file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘IPPP82.FLT’ plugin. 

Attackers can exploit this vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted PPT file.

Fortinet released the IPS signature Corel.Presentations.CVE-2021-38105.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38106

This Memory Corruption Vulnerability exists in the decoding of PPT files in Corel Presentations 2020. Specifically, this vulnerability is caused by a malformed PPT file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘UAX200.dll’ library. 

Attackers can exploit this vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted PPT file.

Fortinet released the IPS signature Corel.Presentations.CVE-2021-38106.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38102

This Memory Corruption Vulnerability exists in the decoding of PPT files in Corel Presentations 2020. Specifically, this vulnerability is caused by a malformed PPT file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘IPPP82.FLT’ plugin. 

Attackers can exploit the vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted PPT file.

Fortinet released the IPS signature Corel.Presentations.CVE-2021-38102.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38110

This Memory Corruption vulnerability exists in the decoding of DOC files in Corel WordPerfect 2020. Specifically, this vulnerability is caused by a malformed DOC file, which causes an Out-of-Bounds write memory access due to improper bounds check. This specific vulnerability exists in the ‘Word97Import200.dll’ library. 

Attackers can exploit this vulnerability by using the out-of-bounds access for unintended reads, writes, or frees, potentially leading to code corruption, control-flow hijack, or an information leak attack.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted DOC file.

Fortinet released the IPS signature Corel.WordPerfect.CVE-2021-38110.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38108

This Memory Corruption Vulnerability exists in the decoding of DOC files in Corel WordPerfect 2020. Specifically, this vulnerability is caused by a malformed DOC file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘Word97Import200.dll’ library. 

Attackers can exploit this vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted DOC file.

Fortinet released the IPS signature Corel.WordPerfect.CVE-2021-38108.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38109

This Memory Corruption Vulnerability exists in the decoding of CDR files in Corel DrawStandard 2020. Specifically, this vulnerability is caused by a malformed CDR file, which causes Out-of-Bounds memory access due to an improper bounds check. This specific vulnerability exists in the ‘CrlPlatform.dll’ library. 

Attackers can exploit this vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted CDR file.

Fortinet released the IPS signature Corel.CorelDRAW.CVE-2021-38109.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2021-38107

This Memory Corruption Vulnerability exists in the decoding of CDR files in Corel DrawStandard 2020. Specifically, this vulnerability is caused by a malformed CDR file, which can cause Out-of-Bounds memory access due to improper bounds check. This specific vulnerability exists in the ‘CdrCore.dll’ library. 

Attackers can exploit this vulnerability by using out-of-bounds access for unintended reads or an information leak attack.

An unauthenticated attacker may be able to exploit this vulnerability to access unauthorized system memory in the context of the current user via a crafted CDR file.

Fortinet released the IPS signature Corel.CorelDRAW.CVE-2021-38107.Memory.Corruption for this specific vulnerability to proactively protect our customers.

 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.