Flash Notice: RCE Vulnerability Found in Open-Source PDF Library Ghostscript

overview

A critical remote code execution vulnerability, tracked as CVE-2023-36664, has been discovered in Ghostscript, an open-source interpreter used for PostScript language and PDF files in Linux. The vulnerability affects all versions of Ghostscript prior to 10.01.2, the most recent release. It has been assigned a CVSS score of 9.8. 

The Cyber Threat Intelligence team at Kroll has reported that CVE-2023-36664 enables code execution due to improper permission validation in Ghostscript when handling pipe devices, specifically those with the %pipe% or | pipe character prefix. This could result in the execution of arbitrary commands. the team developed a proof-of-concept for the vulnerability and discovered that code execution can be triggered when opening malicious, specially crafted files.  

Considering its pre-installation in numerous Linux distributions and widespread usage by popular software such as LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system, there are ample opportunities to trigger CVE-2023-36664 in various scenarios. Also, the issue impacts open-source apps on Windows if the apps are a part of Ghostscript. It is highly recommended that users update systems to the most recent version of Ghostscript.  

avertium's recommendationS

• Ghostscript can be used by applications in a way that may not be immediately apparent. To ensure security, it is advised to inspect applications capable of rendering PDF or EPS files for any Ghostscript usage and promptly apply available patches provided by the vendor. 
  
  
• Consistently apply patches and updates to all endpoints, ensuring they are kept current and protected against known vulnerabilities. 
  
  
• Linux users should upgrade to the latest version of Ghostscript, which is 10.01.2, using their distribution's package manager. 
   
  • If the most recent version of Ghostscript is not yet accessible through your distribution's software channels, it is advised to build it from the source code. 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-36664. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

To detect CVE-2023-36664, see Kroll’s Sigma rules in Github.  

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  

• Risk Assessments 
• Pen Testing and Social Engineering  
• Infrastructure Architecture and Integration  
• Zero Trust Network Architecture 
• Vulnerability Management 

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 

SUPPORTING DOCUMENTATION