Ghostscript, an open-source interpreter widely used in Linux for handling PostScript language and PDF files, has been discovered to have a critical-severity remote code execution vulnerability.
Tracked as CVE-2023-3664, the flaw affects all versions of Ghostscript prior to 10.01.2, making systems vulnerable to code execution upon opening a specially-crafted file. Given Ghostscript’s prevalence in Linux distributions and its use by popular software like LibreOffice and GIMP, the impact of the vulnerability is significant.
Kroll’s analysts have developed a proof of concept (PoC) exploit for the vulnerability, emphasizing that it also affects open-source applications on Windows utilizing Ghostscript ports.
The flaw arises from the “gp_file_name_reduce()” function, which can return unexpected results when given a malicious path, bypassing validation mechanisms and enabling potential exploitation. Ghostscript’s attempt to open a file using the “gp_validate_path” function is undermined by the vulnerable function, allowing attackers to manipulate file locations and gain unauthorized access.
Kroll’s PoC exploit is triggered by opening an EPS (Embedded Postscript) file in any application using Ghostscript. The researchers demonstrate the exploit in Inkscape on Windows, showcasing actions like opening the calculator or displaying dialogs to the user. Linux users are advised to update to the latest version of Ghostscript (10.01.2) through their distribution’s package manager.
If the latest version is not available, compiling it from the source code is recommended. However, caution is advised for open-source software on Windows that rely on Ghostscript ports, as the migration to the latest version may take time. Kroll has provided Sigma rules on a GitHub repository to assist in detecting the CVE-2023-3664 vulnerability.
