Infosec circles are awash with chatter about a vulnerability in Ghostscript some experts believe could be the cause of several major breaches in the coming months.
Ghostscript is a Postscript and Adobe PDF interpreter that lets users of *nix, Windows, MacOS, and various embedded OSes and platforms view, print, and convert PDFs and image files. It is a default installation in many distros, as well as being used indirectly by other packages to support printing or conversion operations.
Tracked as CVE-2024-29510 (Tenable designated it CVSS 5.5 – medium), the format string bug was originally reported to the Ghostscript team in March, and later mitigated in April’s version 10.03.1 of the open source interpreter for PostScript and PDF files.
However, the blog of the researcher who discovered the flaw has sparked the first major wave of interest in the vulnerability since it became public.
Thomas Rinsma, lead security analyst at Dutch security shop Codean Labs, found a way to achieve remote code execution (RCE) on machines running Ghostscript after bypassing the -dSAFER sandbox.
“This vulnerability has significant impact on web applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood,” said Rinsma.
Here he’s referring to Ghostscript’s wide-ranging use across the web. Most commonly it’s found powering functionality such as preview images in cloud storage and chat programs, and is often invoked when these images are rendered. It’s also heavily used in tasks such as PDF conversion and printing, and can be found powering optical character recognition (OCR) workflows too.
“It is the kind of software that is so integral to so many wider solutions that its existence is often taken for granted,” Stephen Robinson, senior threat intelligence analyst at WithSecure, told El Reg.
As Ghostscript became more popular, the dev team behind the project made the call to implement increasingly hardened sandboxing capabilities, Rinsma added. The -dSAFER sandbox is enabled by default and typically stops potentially dangerous operations such as command execution from taking place.
The full technical details behind the exploit can be found in the researcher’s blog, including the link to download a proof of concept (PoC) exploit for Linux (x86-64), but the long and short of it is that it can allow attackers to arbitrarily read and write files, and achieve RCE on an affected system.
Replying to a discussion thread about Rinsma’s PoC, the researcher confirmed it won’t work for everyone straight out of the box as the code assumes a number of things such as stack and structure offsets that may vary depending on the target system.
“The PoC Codean Labs has shared is an EPS file, and so any image conversion service or workflow which is compatible with EPS could be exploited to achieve RCE,” Robinson said.
“While the CVE has not been analysed by NVD, Tenable lists it as a local vulnerability which requires user interaction, and which has no risk of impacting integrity or availability, only confidentiality.”
Experts sound the alarm
Cybersec bods picked up on Rinsma’s research this week and were quick to pinpoint the potential dangers around it, and how its assigned severity rating might not be telling the full picture.
The slowdown at the National Vulnerability Database (NVD) appears to be showing itself with this one.
Bob Rudis, VP of data science at GreyNoise, said the advisories and accompanying severity assessments from the likes of Tenable and Red Hat (both rated the bug 5.5 using CVSS 3.0) were missing the mark in some aspects.
Namely, Rudis and other onlookers believe that no user interaction is required for the exploit to be successful. Both Red Hat and Tenable assessed the opposite to be the case, a decision that, if incorrect, would mean the severity score is currently lower than what it should be.
“Comparing this to CVE-2023-36664, an earlier GhostScript RCE, which was listed as high risk for integrity, availability, and confidentiality, it seems more correct for an RCE,” said Robinson.
“It is true that the file must be local and that the process must be initiated, but as Ghostscript is so often included in automated workflows that are processing untrusted files, this vulnerability may be more severe than the 5.5 CVSS 3.0 base score that Tenable has assigned it.”
Organizations use the CVE program and accompanying severity scores as quick guides on how much of a priority fixing certain vulnerabilities should be. When bugs aren’t properly assessed, it opens up the possibility that patches and mitigations aren’t applied with the requisite urgency.
Just the fact that the industry has only recently woken up to the severity of this particular vulnerability months after it was fixed is evidence in itself that accurate severity assessments are hugely important for the infosec industry.
Rudis also said in the next six months he expects to be getting between 5-10 notifications from organizations offering the usual year of free credit monitoring following a material breach.
Bill Mill, a full stack developer at ReadMe, said he has already seen attacks in the wild. So now that a PoC is released – which Mill branded “trivial” to exploit – and a ton of attention is on CVE-2024-29510, getting those patches applied should be any organization’s top priority.
Double trouble
It’s the second time in 12 months that a concerning RCE has been disclosed in Ghostscript. In July last year, PoCs for CVE-2023-36664 hit the headlines after Kroll’s researchers published an investigation into the bug.
This one was rated 9.8 on the severity scale – a critical flaw that security teams would unlikely pass up the opportunity to patch. All that was required to exploit it was to convince a target to open a malicious file.
Concern abounded at the time, as it has done this week, mainly over the realization of just how prevalent Ghostscript is in modern software. Kroll said Debian 12 had 131 packages that depended on Ghostscript and popular apps like those in the LibreOffice suite also make use of the interpreter. ®