The Ghostscript document conversion toolkit, an integral part of many Linux distributions, has recently been identified as vulnerable to a remote code execution (RCE) attack. This toolkit, a staple in systems and applications for converting and processing document formats, is utilized by notable applications such as ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system.
The vulnerability, cataloged as CVE-2024-29510, arises from a format string flaw affecting all versions of Ghostscript up to 10.03.0. It particularly undermines the -dSAFER sandbox, which is designed to restrict operations that could modify the environment outside a set script or document. Attackers exploiting this vulnerability can bypass these restrictions, performing unauthorized actions like command execution and file I/O, which are normally blocked to prevent such security breaches.
Given the widespread use of Ghostscript in web applications and services that feature document handling and conversion capabilities, the implications of this vulnerability are extensive. Attackers are exploiting this flaw by disguising malicious EPS (PostScript) files as harmless-looking JPG files, which when processed by vulnerable systems, grant shell access.
Security researchers at Codean Labs, who discovered and reported the vulnerability, have urged users to check their systems for the potentially affected Ghostscript versions and to upgrade to the latest release to mitigate the risk. They have also provided a test script to help determine the vulnerability of systems to this specific threat.
Ghostscript’s developers responded with a patch in May, while the details of the exploit and a proof-of-concept were disclosed by Codean Labs two months later. The gravity of the situation is underscored by the ongoing exploitation of this security lapse, prompting urgent calls for updates or removal of the toolkit from production environments to avoid compromise.
This situation serves as a chilling reminder of the “ghosts” lurking in seemingly benign software tools. Keeping systems updated and patched is more than just routine maintenance;