Ghostscript: Code smuggling loophole is attacked
IT researchers have discovered several security vulnerabilities in Ghostscript. One of them is apparently already under attack.
Updates are available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
IT security researchers have discovered five security vulnerabilities in Ghostscript. Attackers can, for example, bypass the sandbox and execute arbitrary code. A proof-of-concept exploit is publicly available for at least one of the vulnerabilities. According to a report, the code smuggling vulnerability has already been attacked in the wild. Updates and patches are already available.
The IT security researchers at Codean Labs have compiled the information on the five vulnerabilities in a mailing list post. They have created a detailed blog post for one vulnerability and present their detailed analysis there, along with a customizable proof-of-concept exploit.
Five security vulnerabilities in Ghostscript
The IT researchers do not provide concrete risk assessments, for example according to the CVSS standard. Due to insufficient parameter filtering, a heap-based buffer overflow can occur when processing a PDF password parameter (CVE-2024-29509). A stack overflow may occur when processing CIDFSubstPath/Font parameters(CVE-2024-29507). Due to an error in pdf_base_font_alloc(), attackers may be able to read values from pointers (CVE-2024-29508). The configuration of Tesseract, which is used for OCR, can be misused by attackers to read and write arbitrary files (CVE-2024-29511).
The most serious vulnerability, however, concerns the Uniprint device. This contains a format string vulnerability. By creating a page device with corresponding options, attackers gain control over the format string. By setting a temporary path, they gain access to the device output and can access data from the stack. Overall, it is possible to inject and execute malicious code (CVE-2024-29510).
These vulnerabilities are relevant because Ghostscript is often used in the backend, for example for document preview functions or format conversions. ImageMagick, for example, relies on it, but LibreOffice also comes with Ghostscript – however, it is currently unclear whether the office software is also affected. The bugs have been fixed in Ghostscript 10.03.0, but some of them will only be fixed in Ghostscript 10.03.1 from May 2024. Many Linux distributions are already shipping updated packages or have provided patches. IT managers should ensure that Ghostscript is up-to-date.
User Bill Mill reported on Mastodon that he had fended off an attack on the vulnerability in the wild. It is therefore "not just a theoretical problem", he adds.
Almost exactly a year ago, a vulnerability was also discovered in Ghostscript that allowed malicious code to be injected. At that time, LibreOffice and other packages that included Ghostscript were also explicitly affected.
(dmk)