Ghostscript .buildfont1 –dSAFER Sandbox Bypass Vulnerability

Ghostscript .buildfont1 –dSAFER Sandbox Bypass Vulnerability

September 6, 2019 | Mina Hao
  1. Vulnerability Overview

Ghostscript is a suite of software based on an interpreter for Adobe System’s PostScript and Portable Document Format (PDF) page description languages. It is widely used as a raster image processor (RIP) for raster computer printers. Currently, it has been ported from Linux to other operating systems, including UNIX, Mac OS X, VMS, Windows, OS/2, and Mac OS classic.

On August 2, 2019, Artifex officially submitted a fix for the merged Bug 701394 (protect use of .forceput with executeonly) on the master branch of Ghostscript, designed to fix the -dSAFER sandbox bypass vulnerability (CVE-2019-10216). -dSAFER is a security sandbox used by Ghostscript for prevention of insecure PostScript operations. The CVE-2019-10216 vulnerability is caused by the .buildfont1 procedure that does not properly secure its privileged calls, allowing attackers to bypass -dSAFER restrictions via a crafted PostScript file, thus escalating privileges and accessing files outside of restricted areas.

Applications like ImageMagick that use Ghostscript to process PostScript contents by default are affected by this vulnerability.

References:

  • https://access.redhat.com/security/cve/cve-2019-10216
  • https://www.openwall.com/lists/oss-security/2019/08/12/4
  1. Scope of Impact

This vulnerability affects all applications that use Ghostscript to process PostScript contents.

Affected Ghostscript versions:

  • Ghostscript before commit 5b85ddd19a8420a1bd2d5529325be35d78e94234

Unaffected Ghostscript versions:

  • Ghostscript commit 5b85ddd19a8420a1bd2d5529325be35d78e94234 and later
  1. Recommended Solution

Official Fix

Currently, there has been no official release to fix this vulnerability. Users can use git commands to update their installations to commit 5b85ddd19a8420a1bd2d5529325be35d78e94234 or later, or directly pull the master branch code to protect against this vulnerability.

http://git.ghostscript.com/?p=ghostpdl.git;a=summary

Red Hat and Debian distributions have both fixed this vulnerability.

Note: As official technical support is no longer available for Red Hat Enterprise Linux 5 (ghostscript) and Red Hat Enterprise Linux 6 (ghostscript), related users are advised to take temporary measures described in section 3.2 against this vulnerability.

Workaround

If users cannot upgrade to the fixed version for the time being, they can protect against this vulnerability by using a security policy on ImageMagick. ImageMagick uses Ghostscript by default as the interpreter to process PostScript contents. Therefore, users can configure a security policy.xml on the ImageMagick component to disable PS, EPS, PDF, and XPS coders. Users can modify the policy configuration file of ImageMagick by adding the following code to <policymap> in the /etc/ImageMagick/policy.xml directory (default location of the policy configuration file).

<policymap>

<policy domain=”coder” rights=”none” pattern=”PS” />

<policy domain=”coder” rights=”none” pattern=”EPS” />

<policy domain=”coder” rights=”none” pattern=”PDF” />

<policy domain=”coder” rights=”none” pattern=”XPS” />

</policymap>

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.