Ghostscript vulnerabilities revealed, no patch yet available

News by Doug Olenick

Several -dSAFER sandbox bypass vulnerabilities have been found in Ghostscript, which if exploited may allow a remote, unauthenticated attacker to execute arbitrary commands.

Several -dSAFER sandbox bypass vulnerabilities have been found in Ghostscript, which if exploited may allow a remote, unauthenticated attacker to execute arbitrary commands.

Researcher Tavis Ormandy revealed that Ghostscript's –dSAFER option, which is designed to prevent unsafe PostScript operations, found that running multiple PostScript operations at once will bypass the built-in protections and allow an attacker to execute code commands with arbitrary arguments.

"By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code," the advisory stated.

CERT/CC said there is no practical solution to the problem, for which no CVEs have been issued, but the organis ation said disabling PS, EPS, PDF, and XPS coders in ImageMagick policy.xml are possible workarounds.

Stephen Giguere, Synopsis sales engineer, agreed with the suggested workarounds adding that it's important for IT admins to take note of the problem because it is likely to be in their systems due to the fact Ghostscript has been around for quite some time and is more or less ubiquitous.

"This Ghostscript exploit is a premium example of cascading dependencies on open source software packages where the dependency of a core component may not be easily upgraded. Even when a CVE is associated with something like this, and a fix available, there will be a secondary delay whilst packages which incorporate this into their own software like ImageMagick release a version with a fix," he said.

The flaw affects the following:

· Artifex Software

· CentOS

· Debian GNU/Linux

· Fedora Project

· FreeBSD Project

· Gentoo Linux

· ImageMagick

· Red Hat

· SUSE Linux, Ubuntu

"Not only does protection against this rely on the authors fixing the defect at source quickly, it then relies on its incorporation into its next level usage and then again into websites and applications which in turn use that. This could create a significant window of opportunity for malicious actors to weaponize it," Giguere said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop