Amazon Linux 2 : ghostscript (ALAS-2021-1598)

critical Nessus Plugin ID 146633

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of ghostscript installed on the remote host is prior to 9.25-5. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1598 advisory.

- Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183)

- Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183.
(CVE-2018-17961)

- Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073)

- Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284)

- In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134)

- An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409)

- psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
(CVE-2018-19475)

- psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476)

- psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477)

- A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811)

- A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812)

- A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813)

- A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817)

- A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.
(CVE-2019-14869)

- It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835)

- It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838)

- It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before 9.27 are vulnerable. (CVE-2019-3839)

- In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution. (CVE-2019-6116)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update ghostscript' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2021-1598.html

https://access.redhat.com/security/cve/CVE-2018-17183

https://access.redhat.com/security/cve/CVE-2018-17961

https://access.redhat.com/security/cve/CVE-2018-18073

https://access.redhat.com/security/cve/CVE-2018-18284

https://access.redhat.com/security/cve/CVE-2018-19134

https://access.redhat.com/security/cve/CVE-2018-19409

https://access.redhat.com/security/cve/CVE-2018-19475

https://access.redhat.com/security/cve/CVE-2018-19476

https://access.redhat.com/security/cve/CVE-2018-19477

https://access.redhat.com/security/cve/CVE-2019-14811

https://access.redhat.com/security/cve/CVE-2019-14812

https://access.redhat.com/security/cve/CVE-2019-14813

https://access.redhat.com/security/cve/CVE-2019-14817

https://access.redhat.com/security/cve/CVE-2019-14869

https://access.redhat.com/security/cve/CVE-2019-3835

https://access.redhat.com/security/cve/CVE-2019-3838

https://access.redhat.com/security/cve/CVE-2019-3839

https://access.redhat.com/security/cve/CVE-2019-6116

Plugin Details

Severity: Critical

ID: 146633

File Name: al2_ALAS-2021-1598.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2/19/2021

Updated: 7/5/2021

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent

Risk Information

CVSS Score Source: CVE-2019-14813

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:ghostscript, p-cpe:/a:amazon:linux:ghostscript-cups, p-cpe:/a:amazon:linux:ghostscript-debuginfo, p-cpe:/a:amazon:linux:ghostscript-doc, p-cpe:/a:amazon:linux:ghostscript-gtk, p-cpe:/a:amazon:linux:libgs, p-cpe:/a:amazon:linux:libgs-devel, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2021

Vulnerability Publication Date: 9/19/2018

Reference Information

CVE: CVE-2018-17183, CVE-2018-17961, CVE-2018-18073, CVE-2018-18284, CVE-2018-19134, CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477, CVE-2019-3835, CVE-2019-3838, CVE-2019-3839, CVE-2019-6116, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817, CVE-2019-14869

BID: 105990, 106154, 106278, 106700, 107451, 107452, 107494, 107520, 107855, 108441

ALAS: 2021-1598