Ghostscript Vulnerability Actively Exploited in Attacks

A significant remote code execution (RCE) vulnerability was identified in the Ghostscript library, a widely used tool on Linux systems. This vulnerability, tracked as CVE-2024-29510, is currently being exploited in attacks, posing a severe risk to numerous applications and services.

Ghostscript is a powerful and versatile tool used for processing PostScript and PDF files. It comes pre-installed on many Linux distributions and is integrated into various document conversion software, including ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system.

CVE-2024-29510 – The Ghostscript Vulnerability

The CVE-2024-29510 vulnerability is a format string flaw that affects all Ghostscript 10.03.0 and earlier installations. This security issue allows attackers to bypass the -dSAFER sandbox, a protective measure that is enabled by default. Unpatched versions of Ghostscript fail to prevent modifications to uniprint device argument strings after the sandbox is activated. As a result, attackers can perform high-risk operations, such as command execution and file I/O, which the sandbox is supposed to block.

Impact and Exploitation

The security bypass enabled by this vulnerability is especially dangerous. It allows attackers to execute arbitrary commands and manipulate files on the target system using the Ghostscript PostScript interpreter. This has far-reaching implications for web applications and services that rely on Ghostscript for document conversion and preview functionalities.

Attackers are actively exploiting the Ghostscript vulnerability by using EPS (PostScript) files disguised as JPG (image) files. This technique grants them shell access to vulnerable systems. Developer Bill Mill emphasized the severity of the issue, stating, “If you have ghostscript *anywhere* in your production services, you are probably vulnerable to a shockingly trivial remote shell execution, and you should upgrade it or remove it from your production systems.”

Detection and Mitigation

Codean Labs has provided a PostScript file that can help defenders detect if their systems are vulnerable to CVE-2024-29510 attacks. Running the following command with the provided file can indicate the presence of the vulnerability:

ghostscript -1 -dNODISPLAY -dBATCH Cve-2024-29510_testkit.ps

The Ghostscript development team patched the security vulnerability in May. However, despite the availability of a fix, attackers continue to exploit unpatched systems. Codean Labs recommends updating Ghostscript to version 10.03.1 to mitigate the risk. If the latest version is not available for your distribution, look for a patched version that addresses this vulnerability, as many distributions like Debian, Ubuntu, and Fedora have released updates.

Conclusion

The active exploitation of this Ghostscript vulnerability underscores the critical need for timely software updates and security patches. Due to Ghostscript’s widespread use in document processing and web services, this flaw poses a significant threat. System administrators and users must take immediate action to secure their systems by updating Ghostscript to the latest patched version.

The sources for this article include a story from BleepingComputer.

Summary

Article Name

Ghostscript Vulnerability Actively Exploited in Attacks

Description

Learn how attackers are exploiting the Ghostscript vulnerability and discover essential security updates to protect your systems now.

Author

Rohan Timalsina

Publisher Name

TuxCare

Publisher Logo