The Download
A vulnerability in GhostScript that went largely unnoticed is now being understood to be a major vulnerability in many web services that can lead to web server compromise. GhostScript is a common Unix utility called to generate and render PDF documents and previews. On many cloud and web services it is called behind the scenes to render previews of documents. The vulnerability (CVE-2024-29510) is a format string error bug that can be exploited for remote code execution even bypassing the sandbox the software normally runs in. A Dutch researcher, Thomas Rinsma, developed proof-of-concept (PoC) code that exploits the vulnerability, bypasses the -dSAFER sandbox the process normally runs in, and achieves remote code execution. Because GhostScript is a widespread utility on many web services, this presents an attractive attack surface for adversaries.
What You Can Do
Since GhostScript is often run on web servers, it presents an attractive attack surface. We find in practice many firms are not scanning their web services because it is often outsourced to another group. However, web services provide a rich attack surface for adversaries and it is often considered the front door to your company and brand.
Fortunately, a patch to this vulnerability exists. Upgrading GhostScript to version 10.03.1 or later will fix this bug. Your first priority is to know whether or not you have this attack surface visible to adversaries, and then to patch it. ThreatMate automated pen testing as a service (PTaaS) will pen test your web services for vulnerabilities.
To Learn More: