7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.
Exploit code for this vulnerability is publicly available.
By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code. This action may be triggered with actions as simple as downloading a file from a website.
Apply an update
This issue is addressed in Ghostscript version 9.24. Please also consider the following workarounds:
Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml
ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xml
security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the <policymap>
section of the /etc/ImageMagick/policy.xml
file on a RedHat system:
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" /> <policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PDF" /> <policy domain="coder" rights="none" pattern="XPS" />
Check with your vendor for the proper location of this file on your platform. Note that this workaround only mitigates the ImageMagick attack vector to Ghostscript.
Remove Ghostscript
Because of the number of different attack vectors to get to Ghostscript and the public availability of exploit code, the most effective protection for this vulnerability is to remove Ghostscript from your system until a fixed version is available.
Patch Ghostscript
Artifex software has made the following patches available for Ghostscript:
332928
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 24, 2018 Updated: September 06, 2018
Affected
We have not received a statement from the vendor.
Ghostscript security vulnerabilities resolved
Novato, CA August 24, 2018 – Artifex Software is pleased to report that the recently
disclosed security vulnerabilities in Ghostscript have been resolved. On August 21,
2018, a Google Project Zero security researcher, disclosed Ghostscript
security vulnerabilities, a CERT advisory was released that day as well.
As of August 24, 2018, all reported problems have been fixed and will be part of the
next Ghostscript release in late September. Individual patches are available now in the
Ghostscript repository and are listed below. We recommend applying these security
fixes as soon as possible.
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01>
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614>
Artifex takes security issues very seriously and strongly encourages responsible and
coordinated disclosure of vulnerabilities. Developers should be given the opportunity to
fix security problems in advance of public disclosure.
Notified: August 21, 2018 Updated: August 22, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 22, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 22, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 22, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 22, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 24, 2018 Updated: August 24, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 22, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: August 23, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: March 13, 2019
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 27, 2018
Statement Date: August 27, 2018
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Statement Date: August 21, 2018
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 27, 2018 Updated: August 27, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 24, 2018 Updated: August 24, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 24, 2018 Updated: August 24, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 21, 2018 Updated: August 21, 2018
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 57 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.8 | E:F/RL:W/RC:C |
Environmental | 6.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
This vulnerability was publicly disclosed by Tavis Ormandy.
This document was written by Will Dormann.
CVE IDs: | CVE-2018-16509 |
---|---|
Date Public: | 2018-02-21 Date First Published: |
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
openwall.com/lists/oss-security/2018/08/21/2
bugs.chromium.org/p/project-zero/issues/detail?id=1640
ghostscript.com/doc/9.24/History9.htm#Version9.24
www.ghostscript.com/doc/current/Use.htm#Safer
www.imagemagick.org/script/resources.php
www.imagemagick.org/script/security-policy.php
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%