Security researchers are raising the alarm on a Ghostscript vulnerability leading to remote code execution that has already been exploited in the wild.
Tracked as CVE-2024-29510 and described as a format string injection in the uniprint device, the security defect could allow an attacker to bypass the -dSAFER sandbox and execute code remotely.
“This vulnerability has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood,” Codean Labs security researchers, who identified the issue, warn.
A general document conversion toolkit, Ghostscript is commonly used in various applications for processing user-supplied files across Windows, Linux, macOS, and various embedded systems.
The toolkit’s wide use across automated conversion systems has prompted Ghostscript developers to implement a series of sandboxing features to prevent its abuse, and have enabled the -dSAFER sandbox by default for hardening purposes.
Codean Labs discovered and reported six bugs that were addressed in Ghostscript versions 10.03.0 and 10.03.1 over the past several months. These vulnerabilities include CVE-2024-29510, three buffer overflows (CVE-2024-29509, CVE-2024-29506, and CVE-2024-29507), a pointer leak (CVE-2024-29508), and an arbitrary file read/write (CVE-2024-29511).
CVE-2024-29510, Codean explains in a technical writeup, was identified in uniprint, or the “universal printer device”, which supports generating command data for a wide range of printer models by changing configuration parameters.
While the device ensures increased versatility, it also opens the door for attacks, as the user has control over the format string being supplied, as well as read access to the device output, by setting it to a temporary file. This allows an attacker “to leak data from the stack and perform memory corruption”.
Codean, which has published proof-of-concept (PoC) code demonstrating the vulnerability, explains that an attacker could bypass the Ghostscript’s -dSAFER sandbox to execute shell commands on the system. The bug can be triggered both with image and document processors.
“We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version,” Codean notes.
The issue was addressed in early May in Ghostscript version 10.03.1, but details were released only last week. However, shortly after Codean’s blog and PoC became public, security researchers raised the alarm on the potentially devastating impact of this bug.
According to GreyNoise’s Bob Rudis, CVE-2024-29510 sounds ‘bad’, as “many automagic document processing pipelines in thousands of orgs” are using Ghostscript.
ReadMe developer Bill Mill says attackers are already exploiting the flaw, which prompts immediate action from organizations and end users alike.
“The best mitigation against this vulnerability is to update your installation of Ghostscript to v10.03.1. If your distribution does not provide the latest Ghostscript version, it might still have released a patch version containing a fix for this vulnerability,” Codean notes.
Related: Hackers Target Vulnerability Found Recently in Long-Discontinued D-Link Routers
Related: Over 380k Hosts Still Referencing Malicious Polyfill Domain: Censys
Related: Splunk Patches High-Severity Vulnerabilities in Enterprise Product
