Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label infosec. Show all posts

New Ghostscript Vulnerability Alarms Experts as Major Breach Threat

 

The information security community is buzzing with discussions about a vulnerability in Ghostscript, which some experts believe could lead to significant breaches in the coming months.

Ghostscript, a Postscript and Adobe PDF interpreter, allows users on various platforms including *nix, Windows, macOS, and several embedded operating systems to view, print, and convert PDFs and image files. It is commonly installed by default in many distributions and is also utilized by other packages for printing or conversion tasks.

This vulnerability, identified as CVE-2024-29510 and given a CVSS score of 5.5 (medium) by Tenable, was first reported to the Ghostscript team in March and was addressed in the April release of version 10.03.1. However, the researcher's blog post that uncovered this flaw has recently sparked widespread interest.

Thomas Rinsma, the lead security analyst at Codean Labs in the Netherlands, discovered a method to achieve remote code execution (RCE) on systems running Ghostscript by bypassing the -dSAFER sandbox. Rinsma highlighted the potential impact on web applications and services that use Ghostscript for document conversion and preview functionalities.

Ghostscript's extensive use in various applications, such as cloud storage preview images, chat programs, PDF conversion, printing, and optical character recognition (OCR) workflows, underscores its importance. Stephen Robinson, a senior threat intelligence analyst at WithSecure, noted that Ghostscript's integral role in many solutions often goes unnoticed.

To enhance security, the Ghostscript development team has implemented increasingly robust sandboxing capabilities, with the -dSAFER sandbox enabled by default to prevent dangerous operations like command execution. Detailed technical information and a proof of concept (PoC) exploit for Linux (x86-64) can be found on the researcher's blog. The PoC demonstrates the ability to read and write files arbitrarily and achieve RCE on affected systems.

Rinsma confirmed that the PoC may not work universally due to assumptions about stack and structure offsets that vary by system. The PoC, shared by Codean Labs, is an EPS file, and any image conversion service or workflow compatible with EPS could be exploited for RCE, according to Robinson.

Tenable's assessment of the CVE as a local vulnerability requiring user interaction has been questioned by experts like Bob Rudis, VP of data science at GreyNoise. Rudis and others believe that no user interaction is needed for the exploit to succeed, which could mean the severity score is underestimated.

Accurate severity assessments are crucial for the infosec industry, as they guide organizations on the urgency of applying patches and mitigations. The delayed recognition of this vulnerability's severity highlights the importance of precise evaluations.

Rudis expects several notifications from organizations about breaches related to this vulnerability in the next six months. Bill Mill, a full-stack developer at ReadMe, reported seeing attacks in the wild and emphasized the need for organizations to prioritize applying patches.

This is the second notable RCE vulnerability in Ghostscript within 12 months. Last July, CVE-2023-36664, rated 9.8 on the severity scale, made headlines after Kroll's investigation. Ghostscript's widespread use in modern software, including 131 packages in Debian 12 and applications like LibreOffice, underscores the critical need for security measures.


To Reliably Govern Multi-Cloud Workloads, IT Leaders Demand Better Security Insights

 

Gigamon has revealed the results of a Pulse. qa poll of IT and InfoSec experts to identify hurdles in progressing current multi-cloud plans. 

According to a recent Pew Research poll, 64 percent of Americans prefer to work in either an entirely remote or hybrid environment, pushing organizations to deal with the growing complexity of transferring and expanding workloads in the cloud. As a result, respondents to the Pulse.qa poll rank transparency over cloud data-in-motion as the most important security element globally. 

"Deep observability across hybrid and multi-cloud setups are required for every firm to stay competitive in a world of enhanced security risk and IT complexity. While each company's journey to service and infrastructure modernization is unique, bridging this visibility gap is critical to safeguarding and optimizing the network in order to provide a superior user experience." Gigamon's VP of brand and technical marketing, Bassam Khan, explained. 

Multi-cloud methods' challenges 

  • The successful administration of multi-cloud infrastructures is being hampered by increasing complexity and cost — 99 percent of respondents said the team lacked or violated an app service-level agreement (SLA) owing to challenges caused by an overly complicated cloud infrastructure. 
  • Attempts by tech executives to transfer and boost workloads in the cloud are being hampered by rising costs and complexity – High cloud expenses, according to 67 percent of respondents, are hindering the firms' ability to transfer applications and workloads as quickly as they need; 96 percent said connectivity bottlenecks or complex cloud troubleshooting attempts hold down migration efforts. 
  • The expense and complexities of cloud infrastructure deplete resources for other ventures and apps, frustrating already overworked IT employees — IT employee irritation was a close second (51%) to a lack of budget (61%) for critical applications. 

82 percent of IT and InfoSec leaders favor best-of-breed third-party security tools over cloud platform provider technologies to overcome these cloud migration bottlenecks and issues. Furthermore, the percent prefers a single point of visibility across the whole environment to a compartmentalized approach to cloud problems.

In a comparable pattern, multi-cloud is utilized. It gives organizations more ways to take advantage of the cloud's benefits. In response to demand, multi-cloud is certainly one of the most popular techniques.

Russians learned to circumvent the ban on anonymity in the Network


Russians learned to circumvent the ban on anonymity on the Internet using online services. Services give the customer a phone number for rent for a small amount for a few hours.

Information security experts found that the requirement of mandatory identification of users of messengers by phone number provoked the growth of anonymous verification services. Such resources can be used to spread malicious software or other fraud.

According to the technical Director of Qrator Labs Artem Gavrichenkov, such services provide users with mobile numbers for rent, among them, for example, sms-reg.com, getsms.online, smska.net, simsms.org and others. It costs from 3 to 300 rubles ($0.04 - 5), the rental period is from 20 minutes to several hours. Anonymous verification is available for Mail.ru, Vkontakte, Odnoklassniki, Avito, Yula, WhatsApp, Viber, Telegram, Facebook, Twitter, Yandex, Badoo, Mamba and others.

According to the expert, mobile operators of different countries use services, but judging by the errors in the English version of the sites, the services are aimed at a Russian-speaking audience.

Gavrichenkov is sure that the rented numbers can also be used to distribute illegal content or sell drugs on social networks and messengers.

"The services exploit gaps in government-approved rules for identifying users of instant messengers and social networks by phone number", said Mr. Gavrichenkov. Recall that on May 5, a government decree on the obligation of the owners of Messengers to identify the users of their resources by telephone number came into force in Russia.

The use of anonymous numbers can lead to increased fraud. So, using the generated accounts, anonymous users can make fake likes at posts to lure other users. Most often it is the posts that sell non-existent goods. The situation is the same with malicious applications.

To block all numbers of anonymous Internet portals it is not possible as their list is very quickly updated.