Security researchers warn of actively exploited Ghostcript RCE flaws
Take action: The severity of the flaw seems very low since it does require access to the vulnerable ghostscript to be exploited. But in cases of web services which accept files with EPS or services which process images, this may become an exploitable vulnerability, so check your use of Ghostscript and parsing of images.
Learn More
Security researchers from Codean Labs are warning of a vulnerability, tracked as CVE-2024-29510 (CVSS score 5.4), that could allow remote code execution.
Ghostscript is a widely-used document conversion toolkit implemented across various platforms, including Windows, Linux, macOS, and numerous embedded systems. To prevent abuse, the developers of Ghostscript have incorporated several sandboxing features, such as the -dSAFER sandbox, which is enabled by default for hardening purposes.
The vulnerability, identified as a format string injection in the uniprint device, permits attackers to bypass the -dSAFER sandbox and execute arbitrary code remotely. Codean Labs emphasize its significant impact on web applications and other services that utilize Ghostscript for document conversion and preview functionalities - especially if there is an automated processing of data or images and postscript files are injected.
Codean Labs identified and reported six vulnerabilities in Ghostscript, which have been addressed in versions 10.03.0 and 10.03.1. These include:
- CVE-2024-29510: Format string injection in the uniprint device
- CVE-2024-29509: Buffer overflow
- CVE-2024-29506: Buffer overflow
- CVE-2024-29507: Buffer overflow
- CVE-2024-29508: Pointer leak
- CVE-2024-29511: Arbitrary file read/write
The exploited CVE-2024-29510 allows attackers to control the format string and access the device output by setting it to a temporary file, enabling data leakage and memory corruption.
Codean Labs has published a detailed writeup and proof-of-concept (PoC) code demonstrating this vulnerability. An attacker can exploit this flaw to bypass Ghostscript’s -dSAFER sandbox and execute shell commands on the system using both image and document processors.
Organizations should verify if their solutions utilize Ghostscript and update to the latest version, 10.03.1, which was released in early May. A chain attack should also be considered, for example in cases where ImageMagick passes postscript files to Ghostcript which is then exploited.
