佚名MYHACK58:62201995495CVE-2019-10216: ghostscript sandbox bypasses command execution vulnerability alerts-a vulnerability alert-the black bar safety net
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
42.2%
2019 Year 8 months 2 days late, Artifex official in ghostscriptf the master branch on the commit merge Bug 701394 repair. Designed to fix CVE-2019-10216 vulnerability. The vulnerability can be directly, bypassing the ghostscript security sandbox, the attacker can read any file or command execution.
ghostscript is widely used, ImageMagick, python-matplotlib, the libmagick and other image processing applications are referenced.
0x01 vulnerability details
. buildfont1 the instruction in the execution time without the right protection stack in the safe state, causing the-dSAFER security sandbox state is bypassed.
This time for the repair of the place to be for all . forceput this is a special instruction to increase executeonly limit. On these two fields in detail
0x02 impact version
commit 5b85ddd19a8420a1bd2d5529325be35d78e94234 are affected
ghostscript as the image processing format conversion of the underlying application.
Vulnerability leads to all references to ghostscript upstream of the application affected. Relates to but not limited to:
imagemagick
libmagick
graphicsmagick
gimp
python-matplotlib
texlive-core
texmacs
latex2html
latex2rtf, etc.
0x03 repair recommendations
It is recommended to update to(5b85ddd19a8420a1bd2d5529325be35d78e94234)any later version, or directly Re-pull the master branch is updated
Debian/redhat and other distributions are to update the upstream package
P. S. redhat 5,6 are beyond support age range, the majority of users attention, timely manual repair update
CVE-2019-10216 – the Red Hat Customer Portal
CVE-2019-10216
If unable to update you can first try to disable the use of gs to parse the ps file
Using ImageMagick, the recommendation to modify the policy file default location:/etc/ImageMagick/policy.xml in
Added the following
That disable PS, EPS, PDF, XPS coders, PCD):
policymap>
policy domain=“coder” rights=“none” pattern=“PS” />
policy domain=“coder” rights=“none” pattern=“EPS” />
policy domain=“coder” rights=“none” pattern=“PDF” />
policy domain=“coder” rights=“none” pattern=“XPS” />
policy domain=“coder” rights=“none” pattern=“PCD” />
policymap>
But taviso mentioned policy is very loose, there may be some not mentioned the format of the presence of the bypass.
360CERT recommended to the user and timely version upgrades, while the line relates to images, pdf, and other formats of the process service version of the self-examination.
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
42.2%