Ghostscript Library’s RCE Bug Now Being Exploited in Attacks

July 8, 2024

The Ghostscript document conversion toolkit, prevalent on many Linux systems, is under attack due to a remote code execution (RCE) vulnerability. Ghostscript, pre-installed on numerous Linux distributions, is a component of various document conversion software including ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system. The vulnerability, tracked as CVE-2024-29510, affects all Ghostscript 10.03.0 and earlier installations. It allows attackers to circumvent the -dSAFER sandbox (enabled by default) as unpatched versions of Ghostscript do not block changes to uniprint device argument strings post-sandbox activation.

This security loophole is particularly perilous as it permits the execution of high-risk operations such as command execution and file I/O using the Ghostscript Postscript interpreter, operations typically blocked by the sandbox. Codean Labs, the security researchers who unearthed and reported the vulnerability, issued a warning about its significant impact on web-applications and other services that offer document conversion and preview functionalities, as these often utilize Ghostscript. They urged users to verify whether their solution uses Ghostscript, either directly or indirectly, and if so, to update to the latest version.

Codean Labs also provided a Postscript file to help defenders detect if their systems are susceptible to CVE-2023-36664 attacks. The Ghostscript development team patched the security flaw in May, with Codean Labs releasing a write-up containing technical details and proof-of-concept exploit code two months later. Threat actors have already begun exploiting the CVE-2024-29510 Ghostscript vulnerability in the wild, using EPS (PostScript) files disguised as JPG (image) files to gain shell access to vulnerable systems.

Developer Bill Mill issued a stern warning about the vulnerability, stating, "If you have ghostscript *anywhere* in your production services, you are probably vulnerable to a shockingly trivial remote shell execution, and you should upgrade it or remove it from your production systems." Codean Labs recommended updating Ghostscript to v10.03.1 as the best mitigation against this vulnerability. If the latest version of Ghostscript is not available, a patch version with a fix for this vulnerability may have been released by the distribution (e.g., Debian, Ubuntu, Fedora).

A year prior, the Ghostscript developers patched another critical RCE flaw (CVE-2023-36664) that was also triggered by opening maliciously crafted files on unpatched systems.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.