A significant remote code execution (RCE) vulnerability in the Ghostscript document conversion toolkit, a staple in many Linux systems, is now being actively exploited. Ghostscript, a pre-installed component in numerous Linux distributions, is integral to various document conversion tools such as ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system.
Identified as CVE-2024-29510, this format string vulnerability affects all versions of Ghostscript up to and including 10.03.0. This flaw allows attackers to bypass the -dSAFER sandbox (which is enabled by default) because unpatched versions fail to restrict changes to uniprint device argument strings once the sandbox is activated.
The security breach is particularly severe because it enables high-risk operations, such as command execution and file I/O, using the Ghostscript PostScript interpreter—capabilities that the sandbox is supposed to block.
This vulnerability poses a serious threat to web applications and other services that provide document conversion and preview functionalities, as these often utilise Ghostscript behind the scenes. It is crucial to verify whether your solutions indirectly use Ghostscript and, if so, update to the latest version.
Codean Labs has provided a PostScript file to help defenders detect if their systems are vulnerable to CVE-2023-26664 attacks by running it with the following command:
ghostscript -q -dNODISPLAY -dBATCH CVE-2024-29510_testkit.ps
Currently Targeted in Ongoing Attacks
Although the Ghostscript development team addressed the flaw in May, Codean Labs published a detailed write-up with proof-of-concept exploit code two months later. Attackers are now exploiting the CVE-2024-29510 vulnerability using EPS (PostScript) files disguised as JPG images to gain shell access to vulnerable systems.
If Ghostscript is part of your production services, there is a significant risk of remote shell execution attacks. Immediate upgrading or removal of Ghostscript from production systems is crucial.
The recommended mitigation for this vulnerability is to update Ghostscript to version 10.03.1. If your Linux distribution does not offer the latest Ghostscript version, it may have released a patched version to address this vulnerability (e.g., Debian, Ubuntu, Fedora).
This incident follows the patching of another critical RCE vulnerability (CVE-2023-36664) by the Ghostscript developers last year, which was similarly triggered by opening maliciously crafted files on unpatched systems.
Ensure your systems are protected by updating Ghostscript and applying all relevant security patches promptly.