Ghostscript Vulnerability – How to Find Affected Machines

Karl Nordström

Helping you turn insights into actions with vScope

A Ghostscript vulnerability could allow attackers to remotely take control of vulnerable systems – affected vendors have yet to issue patches in order to fix this.

The flaws were found by Tavis Ormandy, a Google security researcher in the Project Zero Security Team. The exploit code for this vulnerability is public, making it a serious security vulnerability.

What is InfraSight Labs doing to help solve this?

  • We are closely following this vulnerability and will create Tracker Cases for vScope as patches are released by vendors.
  • Help you identify all vulnerable machines using the guide in this post.

What is the Ghostscript vulnerability?

The exploit is caused by GhostScript’s optional -dSAFER option which was created to protect from unsafe operations of the postscript but was found possible to use for the opposite purpose, by using Ghostscript to implement source code.

If a user opens infected files or directories with Ghostscript it might be possible for a attacker to run commands which allows the attacker to get privileges to execute library commands, which in turn allows for malicious activity. In other words, if you open an infected file, like a PDF or EPS, with an application that uses Ghostscript it could open up for attackers.

The flaw covers a range of security holes like:

  • Run shell commands of your choice.
  • Create files in directories you’re not supposed to access.
  • Delete files even if you only have read permission.
  • Extract data from files for which you have no permission.

What can I do to protect myself?

There’s yet to be a practical solution to the Ghostscript vulnerability, but while waiting for patches to be issued (and you really want to take precautions) there are two solutions you can choose from. We do not recommend using them however since dependant services may stop working. Only do this if you are certain nothing critical will be affected. We recommend to wait for the vendors to issue patches.

Follow this page for updated information about the vulnerability.

Option 1: Update policy.xml to block GhostScript code from Running

Update your policy.xml to block any GhostScript code from running. Start disabling PS, EPS, PDF and XPS coders in policy.xml by default. This should be done ASAP. dSAFER is a fragile security boundry, and executing untrusted postscript should be discouraged.

Option 2: Remove Ghostscript

The guaranteed protection is to simply remove Ghostscript from your systems until a fixed version is released. This could make other services stop working.

How can I find vulnerable machines?

Using vScope makes it easy to find machines affected by the Ghostscript vulnerability. If you wish to list all machines to apply one of the temporary solutions or just keep track of where you are vulnerable until the fix, you can do this with a few clicks in Table Explorer. (We will create tracker cases for identifying machines with unpatched software as vendors start issuing these.)

The list we’ll build will be very useful later on when vendors release patches and it’s time to update the applications.

Listing vulnerable machines with vScope

We are looking for machines with installed application that uses ghostscript. We can find what known Vendors that are affected by using this list and then filter the table. I will go through each step.

1. Create New Table –  Go to Table Explorer. Since we want to identify what machines that are affected we build a new table with All Machines as a base.

2. Add tag Installed Applications Vendor – Now that we have a fresh table we add the tag Installed Applications Vendor. (Not necessary for filtering but nice to visualize.)

3. Filter on affected Application Vendors – Now we want to filter our table to only show machines that have applications from the affected vendors installed. Find the tag in the filter panel to the right.

4. Filter using RegEx – To easily manage the filter I chose to write it with regular expressions in vScope. I want to list all known affected vendors so I simply used the list mentioned earlier and added them to the filter command. You can see the RegEx i used below. This makes it easy to keep the filter updated if more vendors needs to be added.

RegEx filter:
regex:(?sui).*artifex.*|.*centos.*|.*debian.*|.*fedora.*|.*freebsd.*|.*gentoo.*|.*imagemagick.*|.*red hat.*|.*suse.*|.*synology.*|.*ubuntu.*|.*ghostscript.*

What we’re left with is two machines, meaning that I have two machines in my environment that are vulnerable to the Ghostscript flaw. If you wish to dig deeper you can look at the machines’ property pages to see their related resources.

5. Create a Tracker Case or Widget (Optional) – You can use this table as a basis for a tracker case or a widget to get reminded about the issue. Save the table and click on the dropdown next to save to choose what you want to do.

Conclusion

As vendors are working on fixing their vulnerabilities there’s not much more we can do than to sit tight and wait. There are temporary fixes but they can also be risky. By knowing what machines are at large we can take some precautions, like not opening random PDF files on affected machines.

Currently it’s best to be aware of the issue and inform your colleagues of what’s happening and be cautious until vendors have issued patches.

We will keep following this issue and create Tracker cases for the patches as they are released, though it’s up to each vendor when these are released.

Updates

Artifex Software Inc. – Have made a fix for the vulnerability that will be released late september. You can apply the security fixes yourself.

Sign up for newsletter

Join our community and 1000+ IT professionals by signing up for blogs, news and business insight through our newsletter

2018-09-18T13:06:44+00:00