{"vuid":"VU#332928","idnumber":"332928","name":"Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities","keywords":["gs","imagemagick","graphicsmagick","postscript","ps","dsafer","sandbox"],"overview":"Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.","clean_desc":"Ghostscript contains an optional -dSAFER option,which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER,which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript,such as ImageMagick,GraphicsMagick,evince,Okular,Nautilus,and others. Exploit code for this vulnerability is publicly available.","impact":"By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website.","resolution":"Apply an update This issue is addressed in Ghostscript version 9.24. Please also consider the following workarounds:","workarounds":"Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <policymap> section of the /etc/ImageMagick/policy.xml file on a RedHat system: <policy domain=\"coder\" rights=\"none\" pattern=\"PS\" /> <policy domain=\"coder\" rights=\"none\" pattern=\"PS2\" /> <policy domain=\"coder\" rights=\"none\" pattern=\"PS3\" /> <policy domain=\"coder\" rights=\"none\" pattern=\"EPS\" /> <policy domain=\"coder\" rights=\"none\" pattern=\"PDF\" /> <policy domain=\"coder\" rights=\"none\" pattern=\"XPS\" /> Check with your vendor for the proper location of this file on your platform. Note that this workaround only mitigates the ImageMagick attack vector to Ghostscript. Remove Ghostscript Because of the number of different attack vectors to get to Ghostscript and the public availability of exploit code, the most effective protection for this vulnerability is to remove Ghostscript from your system until a fixed version is available. Patch Ghostscript Artifex software has made the following patches available for Ghostscript: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486\nhttp://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764","sysaffected":"","thanks":"This vulnerability was publicly disclosed by Tavis Ormandy.","author":"This document was written by Will Dormann.","public":["https://ghostscript.com/doc/9.24/History9.htm#Version9.24","http://openwall.com/lists/oss-security/2018/08/21/2","https://bugs.chromium.org/p/project-zero/issues/detail?id=1640","https://www.imagemagick.org/script/security-policy.php","https://www.imagemagick.org/script/resources.php","https://www.ghostscript.com/doc/current/Use.htm#Safer","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486","http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764"],"cveids":["CVE-2018-16509"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2018-08-21T14:15:38Z","publicdate":"2018-02-21T00:00:00Z","datefirstpublished":"2018-08-21T14:33:40Z","dateupdated":"2019-03-13T19:59:42Z","revision":59,"vrda_d1_directreport":"0","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.5","cvss_basevector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","cvss_temporalscore":"6.8","cvss_environmentalscore":"6.75490483120688","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}