A vulnerability affecting the Ghostscript suite of software has been discovered and publicly released . Ghostscript is an open source software based on Adobe Systems' PostScript and is widely used across the Windows, Linux and Apple machines. If exploited the vulnerability could allow a remote, unauthenticated threat actor to run commands, create files and delete or extract data. The exploitation of this vulnerability has not been seen in the wild at this time, but proof of concept code has been released . It is likely that more widespread exploitation attempts will be seen in the near future.
What we’re doing about it
- eSentire Threat Intelligence is monitoring this topic for additional information
- Current esRECON checks identify Ghostscript related vulnerabilities, and will be updated to assist in identifying these specific ones
What you should do about it
- Once patches become available they should be applied as quickly as possible
- Since publishing, Artifex Software has released a series of patches for Ghostscript. https://kb.cert.org/vuls/id/WDON-B3UK3T
This attack is possible due to the implementation of the –dSAFER sandbox. The sandbox is meant to validate content but can be circumvented to allow malicious content through. The attack is carried out by sending a malformed file (PDF, PostScript, XPF or EPS); when the file reaches the Ghostcript interpreter it automatically executes and infects the host machine.
A potential short term fix for this vulnerability is to disable PS, EPS, PDF, and XPS coders. This is not recommended due to the high potential for business disruption. Due to the wide range of programs that rely on Ghostscript this vulnerability should be taken seriously and patches should be applied as soon as vendors make them available.
Known Affected Systems:
- Artifex Software, Inc.
- Debian GNU/Linux
- Fedora Project
- FreeBSD Project
- Red Hat, Inc.
- SUSE Linux
Potentially Affected Systems:
- Arch Linux
- Arista Networks, Inc.
- ASP Linux