Speculation in infosec circles is rife about a vulnerability in Ghostscript, which some experts say could be the cause of several major breaches in the coming months.
Ghostscript is a Postscript and Adobe PDF interpreter that allows users of *nix, Windows, macOS, and various embedded OSes and platforms to view, print, and convert PDFs and image files. It is a default installation in many distributions, and is also used indirectly by other packages to support printing or conversion operations.
The format string bug, tracked as CVE-2024-29510 (Tenable called it CVSS 5.5 – medium), was originally reported to the Ghostscript team in March and later fixed in April’s version 10.03.1 of the open source interpreter for PostScript and PDF files.
However, the blog of the researcher who discovered the leak has generated a major wave of interest in the leak for the first time since it was made public.
Thomas Rinsma, lead security analyst at Dutch security shop Codean Labs, has found a way to remotely execute code (RCE) on machines running Ghostscript after bypassing the -dSAFER sandbox.
“This vulnerability has a significant impact on web applications and other services that provide document conversion and preview functionality, as they often use Ghostscript,” Rinsma said.
Here he points to Ghostscript’s wide use on the web. It’s most commonly used to power features like previewing images in cloud storage and chat programs, and is often called when those images are being rendered. It’s also widely used in tasks like PDF conversion and printing, and can also be used to power optical character recognition (OCR) workflows.
“It’s the kind of software that is so integral to so many broader solutions that its existence is often taken for granted,” said Stephen Robinson, senior threat intelligence analyst at WithSecure. The Reg.
As Ghostscript grew in popularity, the dev team behind the project decided to implement increasingly tough sandboxing capabilities, Rinsma added. The -dSAFER sandbox is enabled by default and generally prevents potentially dangerous operations like command execution from taking place.
The full technical details behind the exploit can be found on the researcher’s blog , including a link to download a proof of concept (PoC) exploit for Linux (x86-64). But the bottom line is that it allows attackers to read and write arbitrary files and achieve RCE on an affected system.
In a response to a discussion about Rinsma’s PoC, the researcher confirmed that it won’t work for everyone right away, as the code assumes a number of things, such as stack and structure offsets, that can vary depending on the target system.
“The PoC that Codean Labs shared is an EPS file. Any image conversion service or workflow that is compatible with EPS can be used to achieve RCE,” Robinson said.
“While the CVE has not been analyzed by NVD, Tenable calls it a local vulnerability that requires user interaction and poses no risks to integrity or availability, only to confidentiality.”
Experts are sounding the alarm
Cybersec experts picked up Rinsma’s research this week and quickly saw the potential dangers it posed, and that the severity rating it assigned may not paint the full picture.
The delay in the National Vulnerability Database (NVD) seems to be showing itself here.
Bob Rudis, VP of Data Science at GreyNoise, said the advisories and associated severity ratings from Tenable and Red Hat (both gave the bug a score of 5.5 based on CVSS 3.0) fell short of expectations in some areas.
Rudis and other observers believe that no user interaction is needed for the exploit to be successful. Both Red Hat and Tenable assessed the opposite, a decision that, if incorrect, would mean that the severity score is currently lower than it should be.
“When we compare this to CVE-2023-36664, a previous GhostScript RCE, which was flagged as a high risk to integrity, availability, and confidentiality, it seems more accurate for an RCE,” Robinson said.
“It is true that the file must be local and the process must be started, but given how often Ghostscript is included in automated workflows that process untrusted files, this vulnerability may be more severe than the CVSS 3.0 base score of 5.5 that Tenable has assigned to it.”
Organizations use the CVE program and its severity ratings as quick guidelines for how much priority to prioritize fixing certain vulnerabilities. If bugs are not properly assessed, there is a chance that patches and mitigations will not be applied with the urgency required.
The fact that the industry is only realizing the severity of this vulnerability several months after it was fixed is evidence in itself that accurate assessments of the severity of the problem are of paramount importance to the infosec industry.
Rudis also expects to receive between five and ten reports in the next six months from organizations that offer the usual year of free credit monitoring following a material breach.
Bill Mill, a full stack developer at ReadMe, said he’s already seen attacks in the wild. Now that a PoC has been released — which Mill called “trivial” to exploit — and there’s a lot of attention on CVE-2024-29510, applying those patches should be every organization’s top priority.
Double trouble
This is the second time in 12 months that a concerning RCE has been revealed in Ghostscript. In July of last year, PoCs for CVE-2023-36664 made headlines after researchers at Kroll published a study on the bug.
This one was rated 9.8 on the severity scale – a critical flaw that security teams were unlikely to ignore. All it took to exploit it was to convince a target to open a malicious file.
There was a lot of concern at the time, as there has been this week, especially over the realization of how pervasive Ghostscript is in modern software. Kroll said that Debian 12 had 131 packages that depended on Ghostscript, and popular apps like those in the LibreOffice suite also use the interpreter. ®