July 8, 2024 at 12:28PM
A critical remote code execution vulnerability (CVE-2024-29510) in Ghostscript, affecting versions 10.03.0 and earlier, is being actively exploited. This flaw enables attackers to bypass the default sandbox and execute high-risk operations. The security researchers at Codean Labs have advised updating or removing Ghostscript to mitigate the risk. Additionally, a Postscript file has been shared to help detect vulnerable systems.
The meeting notes discuss a remote code execution vulnerability in the Ghostscript document conversion toolkit, impacting various Linux systems and related software such as ImageMagick, LibreOffice, GIMP, and others. Tracked as CVE-2024-29510, the vulnerability allows attackers to bypass security measures and perform high-risk operations using the Ghostscript Postscript interpreter. This vulnerability is already being actively exploited in attacks, with attackers using EPS files disguised as JPG files to gain shell access to vulnerable systems.
Codean Labs security researchers have warned about the significant impact of this vulnerability on web applications and services offering document conversion and preview functionalities. They recommend updating solutions using Ghostscript to the latest version. Additionally, Codean Labs has provided a Postscript file to help detect vulnerable systems.
The Ghostscript development team has patched the security flaw, but Codean Labs published technical details and proof-of-concept exploit code two months later. The best mitigation is updating installations of Ghostscript to v10.03.1 or applying patches from distributions like Debian, Ubuntu, and Fedora.
It’s also mentioned that a similar critical RCE flaw (CVE-2023-36664) was patched by the Ghostscript developers one year ago, triggered by opening maliciously crafted files on unpatched systems.