[German]A security researcher has developed a proof of concept to exploit a remote code execution vulnerability CVE-2023-36664, rated critical (CVSS score 9.8), in the widely used (for PostScript and PDF displays) GhostScript software. Both Linux and Windows systems are threatened if GhostScript is used before version 10.01.2. On Windows, GhostScript could have entered the system via LibreOffice or Bullzip PDF printers, for example.
Advertising
What is GhostScript?
The GhostScript interpreter was originally developed by Peter Deutsch (commercial license from Artifed Software), but is freely available for Linux, Unix, VMS, Windows, macOS, Mac OS Classic, MSDOS, OS/2, etc. The product allows PostScript and PDF files to be displayed on screens or printers. Therefore it is integrated in many PDF products (in fact in all PDF printers and editors, but also in Gimp & Co.). It becomes critical when security vulnerabilities occur that can be exploited by third-party documents. GhostScript is included in many software packages that generate PDF output.
RCE Vulnerability CVE-2023-36664 in GhostScript
As early as June 11, 2023, Dave Truman of Kroll published the article Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability on a vulnerability in GhostScript. The key points of his article, as far as they are of interest for users:
- In Ghostscript before version 10.01.2, there is an RCE vulnerability CVE-2023-36664. leads to code execution. The critical vulnerability (CVSS score 9.8) can be exploited for code execution when opening a file.
- In Linux, GhostScript is usually included in the distribution to enable PDF viewing and PostScript printing (CUPS printing system).
- Windows open source productivity and creativity tools such as Inkscape, ImageMagick, Scribus, LibreOffice, Gimp, etc. use the Ghostscript Windows port.
Artifex Ghostscript incorrectly handles permission checking for pipe devices (with the %pipe% prefix or the | pipe character prefix) in affected versions. The Kroll Cyber Threat Intelligence (CTI) team has developed a usable exploit for this vulnerability and is using it to improve detection.
Users and administrators need to update the version of Ghostscript so that the vulnerability is fixed. Debian maintainers have already released updated versions of the GhostScript library as of July 3, 2023 (see). Other Linux distributions should also have updated versions of GhostScript.
Nutzer und Administratoren müssen die Version von Ghostscript aktualisieren, so dass die Schwachstelle beseitigt wird. Die Maintainer von Debian haben zum 3. Juli 2023 bereits aktualisierte Versionen der GhostScript-Library veröffentlicht (siehe). Bei anderen Linux-Distributionen dürfte GhostScript ebenfalls in aktualisierter Form bereitstehen.
Advertising
As a user or administrator, you should check all applications (especially on Windows) that can somehow process PDF documents to see if they use GhostScript. Then the only thing left to do is to search if there is an update available for the package. Kroll has published Sigma rules on Github that can be used to detect attacks via prepared data.
Microsoft security response center does not assign that cve in their list products.