Amazon Linux 2 : ghostscript (ALAS-2021-1598)

critical Nessus Plugin ID 146633
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of ghostscript installed on the remote host is prior to 9.25-5. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1598 advisory.

- Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183)

- Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183.
(CVE-2018-17961)

- Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073)

- Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284)

- In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134)

- An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409)

- psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
(CVE-2018-19475)

- psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476)

- psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477)

- A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811)

- A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812)

- A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813)

- A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817)

- A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.
(CVE-2019-14869)

- It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835)

- It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838)

- It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before 9.27 are vulnerable. (CVE-2019-3839)

- In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution. (CVE-2019-6116)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update ghostscript' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2021-1598.html

https://access.redhat.com/security/cve/CVE-2018-17183

https://access.redhat.com/security/cve/CVE-2018-17961

https://access.redhat.com/security/cve/CVE-2018-18073

https://access.redhat.com/security/cve/CVE-2018-18284

https://access.redhat.com/security/cve/CVE-2018-19134

https://access.redhat.com/security/cve/CVE-2018-19409

https://access.redhat.com/security/cve/CVE-2018-19475

https://access.redhat.com/security/cve/CVE-2018-19476

https://access.redhat.com/security/cve/CVE-2018-19477

https://access.redhat.com/security/cve/CVE-2019-14811

https://access.redhat.com/security/cve/CVE-2019-14812

https://access.redhat.com/security/cve/CVE-2019-14813

https://access.redhat.com/security/cve/CVE-2019-14817

https://access.redhat.com/security/cve/CVE-2019-14869

https://access.redhat.com/security/cve/CVE-2019-3835

https://access.redhat.com/security/cve/CVE-2019-3838

https://access.redhat.com/security/cve/CVE-2019-3839

https://access.redhat.com/security/cve/CVE-2019-6116

Plugin Details

Severity: Critical

ID: 146633

File Name: al2_ALAS-2021-1598.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2/19/2021

Updated: 7/5/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2019-14813

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:ghostscript, p-cpe:/a:amazon:linux:ghostscript-cups, p-cpe:/a:amazon:linux:ghostscript-debuginfo, p-cpe:/a:amazon:linux:ghostscript-doc, p-cpe:/a:amazon:linux:ghostscript-gtk, p-cpe:/a:amazon:linux:libgs, p-cpe:/a:amazon:linux:libgs-devel, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2021

Vulnerability Publication Date: 9/19/2018

Reference Information

CVE: CVE-2018-17183, CVE-2018-17961, CVE-2018-18073, CVE-2018-18284, CVE-2018-19134, CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477, CVE-2019-3835, CVE-2019-3838, CVE-2019-3839, CVE-2019-6116, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817, CVE-2019-14869

BID: 105990, 106154, 106278, 106700, 107451, 107452, 107494, 107520, 107855, 108441

ALAS: 2021-1598