A vulnerability in Ghostscript, a widely used interpreter for Abode PostScript and PDF page description languages could allow attackers to remotely take control of vulnerable systems – and there’s currently no patch available to protect against the exploit being used.
Ghostscript interpreter is used by large number of vendors which produce software suites and coding libraries for enabling desktop software and web servers to use products using Postscript or PDFs – common tools used in the day to day activity of enterprises.
Vendors known to be affected by the vulnerability include Red Hat, Ubuntu, Artifex Software and ImageMagick – and that list could get larger as more vendors work towards learning if their products are affected.
Uncovered by Tavis Ormandy, a vulnerability researcher at Google’s Project Zero security team, the vulnerability is so freshly discovered that it doesn’t have a CVE number yet – or a patch to to prevent it being exploited.
The exploit is based around Ghostscript’s optional -dSAFER option, a function designed to prevent unsafe operations of PostScript, but in this case can inadvertently enable unsafe activity in applications which use Ghostscript.
By causing GhostScript – or a program using it – to parse a specifically created file in any directory, it’s possible for a remote attacker to gain privileges for executing arbitrary commands which can allow for various forms of malicious activity. That includes taking total control of an effected system, US-CERT has warned.
It isn’t the first time vulnerabilities in Ghostscript have been discovered – Ormandy previously uncovered exploits in 2016.
As no patch has been issued for the new Ghostscript vulnerability, he recommends that several vulnerable functions are turned-off.
“I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default. I think this is the number one “unexpected ghostscript” vector, imho this should happen asap. IMHO, -dSAFER is a fragile security boundary at the moment, and executing untrusted postscript should be discouraged, at least by default,” he wrote in the blog post detailing the new discovery.
The CERT vulnerability notes database also suggests disabling some processes in order to protect systems against attack in the absence of a “practical solution” in the form of patches by affected vendors.