The information security community is buzzing with discussions about a vulnerability in Ghostscript, which some experts believe could lead to significant breaches in the coming months.
Ghostscript, a Postscript and Adobe PDF interpreter, allows users on various platforms including *nix, Windows, macOS, and several embedded operating systems to view, print, and convert PDFs and image files. It is commonly installed by default in many distributions and is also utilized by other packages for printing or conversion tasks.
This vulnerability, identified as CVE-2024-29510 and given a CVSS score of 5.5 (medium) by Tenable, was first reported to the Ghostscript team in March and was addressed in the April release of version 10.03.1. However, the researcher's blog post that uncovered this flaw has recently sparked widespread interest.
Thomas Rinsma, the lead security analyst at Codean Labs in the Netherlands, discovered a method to achieve remote code execution (RCE) on systems running Ghostscript by bypassing the -dSAFER sandbox. Rinsma highlighted the potential impact on web applications and services that use Ghostscript for document conversion and preview functionalities.
Ghostscript's extensive use in various applications, such as cloud storage preview images, chat programs, PDF conversion, printing, and optical character recognition (OCR) workflows, underscores its importance. Stephen Robinson, a senior threat intelligence analyst at WithSecure, noted that Ghostscript's integral role in many solutions often goes unnoticed.
To enhance security, the Ghostscript development team has implemented increasingly robust sandboxing capabilities, with the -dSAFER sandbox enabled by default to prevent dangerous operations like command execution. Detailed technical information and a proof of concept (PoC) exploit for Linux (x86-64) can be found on the researcher's blog. The PoC demonstrates the ability to read and write files arbitrarily and achieve RCE on affected systems.
Rinsma confirmed that the PoC may not work universally due to assumptions about stack and structure offsets that vary by system. The PoC, shared by Codean Labs, is an EPS file, and any image conversion service or workflow compatible with EPS could be exploited for RCE, according to Robinson.
Tenable's assessment of the CVE as a local vulnerability requiring user interaction has been questioned by experts like Bob Rudis, VP of data science at GreyNoise. Rudis and others believe that no user interaction is needed for the exploit to succeed, which could mean the severity score is underestimated.
Accurate severity assessments are crucial for the infosec industry, as they guide organizations on the urgency of applying patches and mitigations. The delayed recognition of this vulnerability's severity highlights the importance of precise evaluations.
Rudis expects several notifications from organizations about breaches related to this vulnerability in the next six months. Bill Mill, a full-stack developer at ReadMe, reported seeing attacks in the wild and emphasized the need for organizations to prioritize applying patches.
This is the second notable RCE vulnerability in Ghostscript within 12 months. Last July, CVE-2023-36664, rated 9.8 on the severity scale, made headlines after Kroll's investigation. Ghostscript's widespread use in modern software, including 131 packages in Debian 12 and applications like LibreOffice, underscores the critical need for security measures.