Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Attackers Exploiting Remote Code Execution Vulnerability in Ghostscript

Vulnerability in Ghostscript (CVE-2024-29510) allows attackers to bypass sandbox for remote code execution.

Security researchers are raising the alarm on a Ghostscript vulnerability leading to remote code execution that has already been exploited in the wild.

Tracked as CVE-2024-29510 and described as a format string injection in the uniprint device, the security defect could allow an attacker to bypass the -dSAFER sandbox and execute code remotely.

“This vulnerability has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood,” Codean Labs security researchers, who identified the issue, warn.

A general document conversion toolkit, Ghostscript is commonly used in various applications for processing user-supplied files across Windows, Linux, macOS, and various embedded systems.

The toolkit’s wide use across automated conversion systems has prompted Ghostscript developers to implement a series of sandboxing features to prevent its abuse, and have enabled the -dSAFER sandbox by default for hardening purposes.

Codean Labs discovered and reported six bugs that were addressed in Ghostscript versions 10.03.0 and 10.03.1 over the past several months. These vulnerabilities include CVE-2024-29510, three buffer overflows (CVE-2024-29509, CVE-2024-29506, and CVE-2024-29507), a pointer leak (CVE-2024-29508), and an arbitrary file read/write (CVE-2024-29511).

CVE-2024-29510, Codean explains in a technical writeup, was identified in uniprint, or the “universal printer device”, which supports generating command data for a wide range of printer models by changing configuration parameters.

While the device ensures increased versatility, it also opens the door for attacks, as the user has control over the format string being supplied, as well as read access to the device output, by setting it to a temporary file. This allows an attacker “to leak data from the stack and perform memory corruption”.

Advertisement. Scroll to continue reading.

Codean, which has published proof-of-concept (PoC) code demonstrating the vulnerability, explains that an attacker could bypass the Ghostscript’s -dSAFER sandbox to execute shell commands on the system. The bug can be triggered both with image and document processors.

“We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version,” Codean notes.

The issue was addressed in early May in Ghostscript version 10.03.1, but details were released only last week. However, shortly after Codean’s blog and PoC became public, security researchers raised the alarm on the potentially devastating impact of this bug.

According to GreyNoise’s Bob Rudis, CVE-2024-29510 sounds ‘bad’, as “many automagic document processing pipelines in thousands of orgs” are using Ghostscript.

ReadMe developer Bill Mill says attackers are already exploiting the flaw, which prompts immediate action from organizations and end users alike.

“The best mitigation against this vulnerability is to update your installation of Ghostscript to v10.03.1. If your distribution does not provide the latest Ghostscript version, it might still have released a patch version containing a fix for this vulnerability,” Codean notes.

Related: Hackers Target Vulnerability Found Recently in Long-Discontinued D-Link Routers

Related: Over 380k Hosts Still Referencing Malicious Polyfill Domain: Censys

Related: Splunk Patches High-Severity Vulnerabilities in Enterprise Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights