Ghostscript vulnerabilities revealed, no patch yet available

Several vulnerabilities -dSAFER sandbox bypass vulnerabilities have been found in Ghostscript, which if exploited mat allow a remote, unauthenticated attacker to execute arbitrary commands.

Researcher Tavis Ormandy revealed that Ghostscript's –dSAFER option, which is designed to prevent unsafe PostScript operations, found that running multiple PostScript operations at once will bypass the built-in protections and allow an attacker to execute code commands with arbitrary arguments.

“By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code,” the advisory stated.

CERT/CC said there is no practical solution to the problem, for which no CVEs have been issued, but the organization said disabling PS, EPS, PDF, and XPS coders in ImageMagick policy.xml are possible workarounds.

Stephen Giguere, Synopsys sales engineer, agreed with the suggested workarounds adding that it's important for IT admins to take note of the problem because it is likely to be in their systems due to the fact Ghostscript has been around for quite some time and is more or less ubiquitous.

“This Ghostscript exploit is a premium example of cascading dependencies on open source software packages where the dependency of a core component may not be easily upgraded. Even when a CVE is associated with something like this, and a fix available, there will be a secondary delay whilst packages which incorporate this into their own software like ImageMagick release a version with a fix,” he said.

The flaw affects the following:

·       Artifex Software

·        CentOS

·        Debian GNU/Linux

·        Fedora Project

·        FreeBSD Project

·        Gentoo Linux

·        ImageMagick

·        Red Hat

·        SUSE Linux, Ubuntu

“Not only does protection against this rely on the authors fixing the defect at source quickly, it then relies on its incorporation into its next level usage and then again into websites and applications which in turn use that.  This could create a significant window of opportunity for malicious actors to weaponize it,” Giguere said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.