Amazon Linux 2 : ghostscript (ALAS-2018-1088)

High Nessus Plugin ID 118043

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

It was discovered that the ghostscript .shfill operator did not
properly validate certain types. An attacker could possibly exploit
this to bypass the -dSAFER protection and crash ghostscript or,
possibly, execute arbitrary code in the ghostscript context via a
specially crafted PostScript document.(CVE-2018-15909)

An issue was discovered in Artifex Ghostscript before 9.24. A type
confusion in 'ztype' could be used by remote attackers able to supply
crafted PostScript to crash the interpreter or possibly have
unspecified other impact.(CVE-2018-16511)

An issue was discovered in Artifex Ghostscript before 9.24. The
.setdistillerkeys PostScript command is accepted even though it is not
intended for use during document processing (e.g., after the startup
phase). This leads to memory corruption, allowing remote attackers
able to supply crafted PostScript to crash the interpreter or possibly
have unspecified other impact.(CVE-2018-16585)

It was discovered that the ghostscript PDF14 compositor did not
properly handle the copying of a device. An attacker could possibly
exploit this to bypass the -dSAFER protection and crash ghostscript
or, possibly, execute arbitrary code in the ghostscript context via a
specially crafted PostScript document.(CVE-2018-16540)

It was discovered that the ghostscript device cleanup did not properly
handle devices replaced with a null device. An attacker could possibly
exploit this to bypass the -dSAFER protection and crash ghostscript
or, possibly, execute arbitrary code in the ghostscript context via a
specially crafted PostScript document.(CVE-2018-16541)

It was discovered that the ghostscript did not properly restrict
access to files open prior to enabling the -dSAFER mode. An attacker
could possibly exploit this to bypass the -dSAFER protection and
disclose the content of affected files via a specially crafted
PostScript document.(CVE-2018-16539)

An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
'restoration of privilege' checking when running out of stack during
exception handling could be used by attackers able to supply crafted
PostScript to execute code using the 'pipe' instruction. This is due
to an incomplete fix for CVE-2018-16509 .(CVE-2018-16802)

It was discovered that ghostscript did not properly handle certain
stack overflow error conditions. An attacker could possibly exploit
this to bypass the -dSAFER protection and crash ghostscript or,
possibly, execute arbitrary code in the ghostscript context via a
specially crafted PostScript document.(CVE-2018-16542)

Ghostscript did not honor the -dSAFER option when executing the
'status' instruction, which can be used to retrieve information such
as a file's existence and size. A specially crafted postscript
document could use this flow to gain information on the targeted
system's filesystem content.(CVE-2018-11645)

It was discovered that the ghostscript did not properly validate the
operands passed to the setcolor function. An attacker could possibly
exploit this to bypass the -dSAFER protection and crash ghostscript
or, possibly, execute arbitrary code in the ghostscript context via a
specially crafted PostScript document.(CVE-2018-16513)

It was discovered that the type of the LockDistillerParams parameter
is not properly verified. An attacker could possibly exploit this to
bypass the -dSAFER protection and crash ghostscript or, possibly,
execute arbitrary code in the ghostscript context via a specially
crafted PostScript document.(CVE-2018-15910)

It was discovered that the ghostscript /invalidaccess checks fail
under certain conditions. An attacker could possibly exploit this to
bypass the -dSAFER protection and, for example, execute arbitrary
shell commands via a specially crafted PostScript
document.(CVE-2018-16509)

It was discovered that ghostscript did not properly verify the key
used in aesdecode. An attacker could possibly exploit this to bypass
the -dSAFER protection and crash ghostscript or, possibly, execute
arbitrary code in the ghostscript context via a specially crafted
PostScript document.(CVE-2018-15911)

It was discovered that the ghostscript .tempfile function did not
properly handle file permissions. An attacker could possibly exploit
this to exploit this to bypass the -dSAFER protection and delete files
or disclose their content via a specially crafted PostScript
document.(CVE-2018-15908)

Solution

Run 'yum update ghostscript' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2018-1088.html

Plugin Details

Severity: High

ID: 118043

File Name: al2_ALAS-2018-1088.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2018/10/11

Modified: 2018/10/31

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:ghostscript, p-cpe:/a:amazon:linux:ghostscript-cups, p-cpe:/a:amazon:linux:ghostscript-debuginfo, p-cpe:/a:amazon:linux:ghostscript-devel, p-cpe:/a:amazon:linux:ghostscript-doc, p-cpe:/a:amazon:linux:ghostscript-gtk, cpe:/o:amazon:linux:2

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/10/10

Exploitable With

Metasploit (Ghostscript Failed Restore Command Execution)

Reference Information

CVE: CVE-2018-11645, CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911, CVE-2018-16509, CVE-2018-16511, CVE-2018-16513, CVE-2018-16539, CVE-2018-16540, CVE-2018-16541, CVE-2018-16542, CVE-2018-16585, CVE-2018-16802

ALAS: 2018-1088