Vulnerability Note VU#332928

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities

Original Release date: 21 Aug 2018 | Last revised: 01 Oct 2018

Overview

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

Description

Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

Exploit code for this vulnerability is publicly available.

Impact

By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website.

Solution

Apply an update

This issue is addressed in Ghostscript version 9.24. Please also consider the following workarounds:

Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml

ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <policymap> section of the /etc/ImageMagick/policy.xml file on a RedHat system:

<policy domain="coder" rights="none" pattern="PS" />

<policy domain="coder" rights="none" pattern="PS2" />

<policy domain="coder" rights="none" pattern="PS3" /> <policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PDF" /> <policy domain="coder" rights="none" pattern="XPS" />

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Artifex Software, Inc.	Affected	24 Aug 2018	06 Sep 2018
CentOS	Affected	21 Aug 2018	22 Aug 2018
Debian GNU/Linux	Affected	21 Aug 2018	22 Aug 2018
Fedora Project	Affected	21 Aug 2018	22 Aug 2018
FreeBSD Project	Affected	21 Aug 2018	22 Aug 2018
Gentoo Linux	Affected	21 Aug 2018	22 Aug 2018
ImageMagick	Affected	24 Aug 2018	24 Aug 2018
Red Hat, Inc.	Affected	21 Aug 2018	21 Aug 2018
SUSE Linux	Affected	21 Aug 2018	22 Aug 2018
Synology	Affected	-	23 Aug 2018
Ubuntu	Affected	21 Aug 2018	21 Aug 2018
Apple	Not Affected	21 Aug 2018	27 Aug 2018
CoreOS	Not Affected	21 Aug 2018	21 Aug 2018
Arch Linux	Unknown	21 Aug 2018	21 Aug 2018
Arista Networks, Inc.	Unknown	21 Aug 2018	21 Aug 2018

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.8	E:F/RL:W/RC:C
Environmental	6.8	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was publicly disclosed by Tavis Ormandy.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2018-16509
Date Public: 21 Feb 2018
Date First Published: 21 Aug 2018
Date Last Updated: 01 Oct 2018
Document Revision: 57

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Quick Search

Advanced Search »