This article uncovers a critical remote code execution flaw in the widely-used Ghostscript PDF library, impacting Linux and Windows systems. It provides crucial information and recommended steps for protection.
A critical remote code execution (RCE) vulnerability has been uncovered in Ghostscript, the widely-used open source interpreter for PostScript language and PDF files. The vulnerability, CVE-2023-36664, poses a significant risk and impacts all versions of Ghostscript released before 10.01.2, made available three weeks ago.
The flaw, discovered by security analysts G. Glass and D. Truman from Kroll, allows attackers to execute malicious code by exploiting a specially-crafted file. Ghostscript’s widespread use in Linux distributions and its integration with popular software applications like LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system makes it a prime target for potential attacks.
Windows users are not exempt from this vulnerability either, as applications that rely on Ghostscript ports are also affected.
The vulnerability, CVE-2023-36664, stems from how Ghostscript handles OS pipes, enabling data exchange between applications. Specifically, the flaw lies in the “gp_file_name_reduce()” function, which is responsible for streamlining paths by removing relative path references to improve efficiency.
However, when presented with a specially-crafted path, the function produces unexpected results, bypassing validation mechanisms and allowing potential exploitation. Ghostscript’s file opening process also employs the ‘gp_validate_path’ function to check file safety. Unfortunately, the flaw in ‘gp_file_name_reduce()‘ allows attackers to manipulate file locations, granting unauthorised access.
Kroll’s analysts have developed a proof of concept (PoC) exploit that triggers the vulnerability by opening an Embedded Postscript (EPS) file in any application utilising Ghostscript. In a demonstration video, researchers showcased the exploit using Inkscape on a Windows system, demonstrating actions like launching the calculator or displaying user dialogues.
To mitigate the risk, Linux users should promptly update Ghostscript to version 10.01.2 using their distribution’s package manager. If the latest version is not yet available, compiling Ghostscript from the source code is recommended. Windows users using open source software with Ghostscript ports should exercise caution, as migrating to the latest version may take additional time.
Kroll has shared Sigma rules on their GitHub repository to assist in the detection of the CVE-2023-36664 vulnerability, enabling security professionals to protect their systems against potential attacks.
Stay informed and take proactive measures to secure your systems and data, as malicious actors actively exploit vulnerabilities like these. By promptly addressing security concerns and keeping software up to date, we can collectively strengthen the resilience of our digital environments.
