#VU14690 OS command injection in Ghostscript


Published: 2020-03-18 | Updated: 2021-06-09

Vulnerability identifier: #VU14690

Vulnerability risk: High

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-16509

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor: Artifex Software, Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to /invalidaccess checks can be bypassed after a restore failure. A remote unauthenticated attacker can trick the victim into opening a specially crafted PostScript file that submits malicious input and execute arbitrary shell commands.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: original fix for this vulnerability was incomplete in version 9.24. Vendor has issued another patch.

Mitigation
Update to version 9.25.

Vulnerable software versions

Ghostscript: 9.00 - 9.24

External links
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
http://seclists.org/oss-sec/2018/q3/228

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Amazon Linux AMI update for ghostscript
Red Hat update for Artifex Ghostscript
Debian update for ghostscript
Slackware Linux update for ghostscript
Multiple vulnerabilities in Artifex Ghostscript