Executive Summary

Summary
Title Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities
Informations
Name VU#332928 First vendor Publication 2018-08-21
Vendor VU-CERT Last vendor Modification 2018-10-01
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#332928

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities

Original Release date: 21 Aug 2018 | Last revised: 01 Oct 2018

Overview

Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

Description

Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

Exploit code for this vulnerability is publicly available.

Impact

By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website.

Solution

Apply an update

This issue is addressed in Ghostscript version 9.24. Please also consider the following workarounds:

Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml

ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xmlsecurity policyto disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <policymap> section of the /etc/ImageMagick/policy.xml file on a RedHat system:

    <policy domain="coder" rights="none" pattern="PS" />
    <policy domain="coder" rights="none" pattern="PS2" />
    <policy domain="coder" rights="none" pattern="PS3" />
    <policy domain="coder" rights="none" pattern="EPS" />
    <policy domain="coder" rights="none" pattern="PDF" />
    <policy domain="coder" rights="none" pattern="XPS" />

Check with your vendor for the proper location of this file on your platform. Note that this workaround only mitigates the ImageMagick attack vector to Ghostscript.

Remove Ghostscript

Because of the number of different attack vectors to get to Ghostscript and the public availability of exploit code, the most effective protection for this vulnerability is to remove Ghostscript from your system until a fixed version is available.

Patch Ghostscript

Artifex software has made the following patches available for Ghostscript:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Artifex Software, Inc.Affected24 Aug 201806 Sep 2018
CentOSAffected21 Aug 201822 Aug 2018
Debian GNU/LinuxAffected21 Aug 201822 Aug 2018
Fedora ProjectAffected21 Aug 201822 Aug 2018
FreeBSD ProjectAffected21 Aug 201822 Aug 2018
Gentoo LinuxAffected21 Aug 201822 Aug 2018
ImageMagickAffected24 Aug 201824 Aug 2018
Red Hat, Inc.Affected21 Aug 201821 Aug 2018
SUSE LinuxAffected21 Aug 201822 Aug 2018
SynologyAffected-23 Aug 2018
UbuntuAffected21 Aug 201821 Aug 2018
AppleNot Affected21 Aug 201827 Aug 2018
CoreOSNot Affected21 Aug 201821 Aug 2018
Arch LinuxUnknown21 Aug 201821 Aug 2018
Arista Networks, Inc.Unknown21 Aug 201821 Aug 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.8E:F/RL:W/RC:C
Environmental6.8CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • https://ghostscript.com/doc/9.24/History9.htm#Version9.24
  • http://openwall.com/lists/oss-security/2018/08/21/2
  • https://bugs.chromium.org/p/project-zero/issues/detail?id=1640
  • https://www.imagemagick.org/script/security-policy.php
  • https://www.imagemagick.org/script/resources.php
  • https://www.ghostscript.com/doc/current/Use.htm#Safer
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
  • http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764

Credit

This vulnerability was publicly disclosed by Tavis Ormandy.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2018-16509
  • Date Public:21 Feb 2018
  • Date First Published:21 Aug 2018
  • Date Last Updated:01 Oct 2018
  • Document Revision:57

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/332928

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 7
Application 17
Os 3
Os 2
Os 2
Os 2
Os 1
Os 2

Snort® IPS/IDS

Date Description
2019-11-19 Ghostscript -dSAFER sandbox bypass attempt
RuleID : 51945 - Revision : 1 - Type : FILE-OTHER
2018-10-25 Ghostscript -dSAFER sandbox bypass attempt
RuleID : 47882 - Revision : 1 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date Description
2018-12-28 Name : The remote EulerOS Virtualization host is missing multiple security updates.
File : EulerOS_SA-2018-1412.nasl - Type : ACT_GATHER_INFO
2018-12-28 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1430.nasl - Type : ACT_GATHER_INFO
2018-12-21 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2018-1137.nasl - Type : ACT_GATHER_INFO
2018-12-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-3761.nasl - Type : ACT_GATHER_INFO
2018-12-10 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1404.nasl - Type : ACT_GATHER_INFO
2018-12-07 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-3760.nasl - Type : ACT_GATHER_INFO
2018-11-26 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201811-12.nasl - Type : ACT_GATHER_INFO
2018-11-21 Name : The remote Virtuozzo host is missing a security update.
File : Virtuozzo_VZLSA-2018-2918.nasl - Type : ACT_GATHER_INFO
2018-10-16 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-2918.nasl - Type : ACT_GATHER_INFO
2018-10-11 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1088.nasl - Type : ACT_GATHER_INFO
2018-10-09 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201810-04.nasl - Type : ACT_GATHER_INFO
2018-09-19 Name : The remote Windows host contains a library that is affected by multiple vulne...
File : ghostscript_9_25.nasl - Type : ACT_GATHER_INFO
2018-09-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4294.nasl - Type : ACT_GATHER_INFO
2018-09-14 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2018-256-01.nasl - Type : ACT_GATHER_INFO
2018-09-14 Name : The remote Debian host is missing a security update.
File : debian_DLA-1504.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Date Informations
2018-10-31 00:23:46
  • Multiple Updates
2018-10-16 17:22:08
  • Multiple Updates
2018-10-02 00:18:29
  • Multiple Updates
2018-09-06 17:18:31
  • Multiple Updates
2018-09-05 00:18:46
  • Multiple Updates
2018-08-31 17:18:54
  • Multiple Updates
2018-08-28 00:19:11
  • Multiple Updates
2018-08-25 17:19:14
  • Multiple Updates
2018-08-25 00:19:19
  • Multiple Updates
2018-08-24 17:18:58
  • Multiple Updates
2018-08-24 00:18:59
  • Multiple Updates
2018-08-23 17:19:14
  • Multiple Updates
2018-08-22 21:18:55
  • Multiple Updates
2018-08-22 17:18:40
  • Multiple Updates
2018-08-21 21:19:03
  • Multiple Updates
2018-08-21 17:18:46
  • First insertion