Ghostscript, an open-source interpreter for PostScript language and PDF information broadly utilized in Linux, has been discovered weak to a critical-severity distant code execution flaw.
The flaw is tracked as CVE-2023-3664, having a CVSS v3 score of 9.8, and impacts all variations of Ghostscript earlier than 10.01.2, which is the newest accessible model launched three weeks in the past.
In response to Kroll’s analysts, G. Glass and D. Truman, who developed a proof of idea (PoC) exploit for the vulnerability, code execution will be triggered upon opening a malicious, specially-crafted file.
Contemplating that Ghostscript is put in by default in quite a few Linux distributions and utilized by software program akin to LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system, alternatives to set off CVE-2023-3664 are ample most often.
Kroll additionally feedback that the issue impacts open-source apps on Home windows, too, if these use a port of Ghostscript.
The Ghostscript flaw
The CVE-2023-3664 flaw is expounded to OS pipes, which permit completely different purposes to alternate knowledge by passing outputs from one as inputs to a different.
The difficulty arises from the “gp_file_name_reduce()” operate in Ghostscript, which seems to take a number of paths and combines and simplifies them by eradicating relative path references for effectivity.
Nevertheless, if a specifically crafted path is given to the weak operate, it might return surprising outcomes, resulting in overriding the validation mechanisms and potential exploitation.
Moreover, when Ghostscript makes an attempt to open a file, it makes use of one other operate known as “gp_validate_path” to verify if its location is protected.
Nevertheless, because the weak operate modifications the placement particulars earlier than that second operate’s verify, it is trivial for an attacker to use the loophole and power Ghostscript to cope with information in places that ought to be off-limits.
Kroll’s analysts created a PoC that’s triggered by opening an EPS (Embedded Postscript) file on any software utilizing Ghostscript.
Within the following demonstration video, the researchers showcase the exploit in Inkscape on Home windows, performing actions akin to opening the calculator or displaying dialogs to the person.
It is strongly recommended that Linux customers improve to the newest model of Ghostscript, 10.01.2, utilizing their distribution’s bundle supervisor.
If the newest Ghostscript has not been made accessible but in your distribution’s software program channels, it’s endorsed to compile it from the supply code.
Sadly, open-source software program on Home windows that use ports of Ghostscript will naturally require extra time to maneuver to the newest model of the device. Therefore further warning is suggested with installs in Home windows.
To assist detect CVE-2023-3664, Kroll has shared Sigma guidelines on this GitHub repository.