A distant code execution vulnerability within the Ghostscript doc conversion toolkit, extensively used on Linux programs, is at present being exploited in assaults.
Ghostscript comes pre-installed on many Linux distributions and is utilized by numerous doc conversion software program, together with ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system.
Tracked as CVE-2024-29510, this format string vulnerability impacts all Ghostscript 10.03.0 and earlier installations. It permits attackers to flee the -dSAFER sandbox (enabled by default) as a result of unpatched Ghostscript variations fail to forestall modifications to uniprint machine argument strings after the sandbox is activated.
This security bypass is particularly harmful because it permits them to carry out high-risk operations, resembling command execution and file I/O, utilizing the Ghostscript Postscript interpreter, which the sandbox would normally block.
“This vulnerability has important affect on web-applications and different providers providing doc conversion and preview functionalities as these usually use Ghostscript beneath the hood,” warned Codean Labs security researchers who found and reported the security vulnerability.
“We advocate verifying whether or not your answer (not directly) makes use of Ghostscript and if that’s the case, replace it to the most recent model.”
Codean Labs has additionally shared this Postscript file that may assist defenders detect if their programs are susceptible to CVE-2023-36664 assaults by working it with the next command:
ghostscript -q -dNODISPLAY -dBATCH CVE-2024-29510_testkit.ps
Actively exploited in assaults
Whereas the Ghostscript growth workforce patched the security flaw in Could, Codean Labs printed a write-up with technical particulars and proof-of-concept exploit code two months later.
Attackers are already exploiting the CVE-2024-29510 Ghostscript vulnerability within the wild, utilizing EPS (PostScript) recordsdata camouflaged as JPG (picture) recordsdata to get shell entry to susceptible programs.
“In case you have ghostscript *anyplace* in your manufacturing providers, you might be most likely susceptible to a surprisingly trivial distant shell execution, and you must improve it or take away it out of your manufacturing programs,” developer Invoice Mill warned.
“The most effective mitigation towards this vulnerability is to replace your set up of Ghostscript to v10.03.1. In case your distribution doesn’t present the most recent Ghostscript model, it would nonetheless have launched a patch model containing a repair for this vulnerability (e.g., Debian, Ubuntu, Fedora),” Codean Labs added.
One yr in the past, the Ghostscript builders patched one other vital RCE flaw (CVE-2023-36664) additionally triggered by opening maliciously crafted recordsdata on unpatched programs.
