Overview
Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
Description
Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others. Exploit code for this vulnerability is publicly available. |
Impact
By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website. |
Solution
Apply an update |
Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml
<policy domain="coder" rights="none" pattern="PS2" /> <policy domain="coder" rights="none" pattern="PS3" /> <policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PDF" /> <policy domain="coder" rights="none" pattern="XPS" /> Check with your vendor for the proper location of this file on your platform. Note that this workaround only mitigates the ImageMagick attack vector to Ghostscript. Remove Ghostscript Because of the number of different attack vectors to get to Ghostscript and the public availability of exploit code, the most effective protection for this vulnerability is to remove Ghostscript from your system until a fixed version is available. Patch Ghostscript Artifex software has made the following patches available for Ghostscript: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764 |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 6.8 | E:F/RL:W/RC:C |
| Environmental | 6.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- https://ghostscript.com/doc/9.24/History9.htm#Version9.24
- http://openwall.com/lists/oss-security/2018/08/21/2
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1640
- https://www.imagemagick.org/script/security-policy.php
- https://www.imagemagick.org/script/resources.php
- https://www.ghostscript.com/doc/current/Use.htm#Safer
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
- http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
Acknowledgements
This vulnerability was publicly disclosed by Tavis Ormandy.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2018-16509 |
| Date Public: | 2018-02-21 |
| Date First Published: | 2018-08-21 |
| Date Last Updated: | 2019-03-13 19:59 UTC |
| Document Revision: | 59 |