Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.NEWSTART_CGSL_NS-SA-2019-0250_GHOSTSCRIPT.NASL
HistoryDec 31, 2019 - 12:00 a.m.

NewStart CGSL CORE 5.05 / MAIN 5.05 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0250)

2019-12-3100:00:00
This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
JSON

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ghostscript packages installed that are affected by multiple vulnerabilities:

  • psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645)

  • It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.
    (CVE-2019-10216)

  • A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813)

  • A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812)

  • A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811)

  • A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0250. The text
# itself is copyright (C) ZTE, Inc.

include('deprecated_nasl_level.inc');

include('compat.inc');

if (description)
{
  script_id(132453);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/07/05");

  script_cve_id(
    "CVE-2018-11645",
    "CVE-2019-10216",
    "CVE-2019-14811",
    "CVE-2019-14812",
    "CVE-2019-14813",
    "CVE-2019-14817"
  );

  script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0250)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ghostscript packages installed that are
affected by multiple vulnerabilities:

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1
    permits the status command even if -dSAFER is used,
    which might allow remote attackers to determine the
    existence and size of arbitrary files, a similar issue
    to CVE-2016-7977. (CVE-2018-11645)

  - It was found that the .buildfont1 procedure did not
    properly secure its privileged calls, enabling scripts
    to bypass `-dSAFER` restrictions. An attacker could
    abuse this flaw by creating a specially crafted
    PostScript file that could escalate privileges and
    access files outside of restricted areas.
    (CVE-2019-10216)

  - A flaw was found in ghostscript, versions 9.x before
    9.50, in the setsystemparams procedure where it did not
    properly secure its privileged calls, enabling scripts
    to bypass `-dSAFER` restrictions. A specially crafted
    PostScript file could disable security protection and
    then have access to the file system, or execute
    arbitrary commands. (CVE-2019-14813)

  - A flaw was found in all ghostscript versions 9.x before
    9.50, in the .setuserparams2 procedure where it did not
    properly secure its privileged calls, enabling scripts
    to bypass `-dSAFER` restrictions. A specially crafted
    PostScript file could disable security protection and
    then have access to the file system, or execute
    arbitrary commands. (CVE-2019-14812)

  - A flaw was found in, ghostscript versions prior to 9.50,
    in the .pdf_hook_DSC_Creator procedure where it did not
    properly secure its privileged calls, enabling scripts
    to bypass `-dSAFER` restrictions. A specially crafted
    PostScript file could disable security protection and
    then have access to the file system, or execute
    arbitrary commands. (CVE-2019-14811)

  - A flaw was found in, ghostscript versions prior to 9.50,
    in the .pdfexectoken and other procedures where it did
    not properly secure its privileged calls, enabling
    scripts to bypass `-dSAFER` restrictions. A specially
    crafted PostScript file could disable security
    protection and then have access to the file system, or
    execute arbitrary commands. (CVE-2019-14817)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0250");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL ghostscript packages. Note that updated packages may not be available yet. Please contact
ZTE for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14813");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL CORE 5.05" &&
    release !~ "CGSL MAIN 5.05")
  audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL CORE 5.05": [
    "ghostscript-9.25-2.el7_7.2",
    "ghostscript-cups-9.25-2.el7_7.2",
    "ghostscript-debuginfo-9.25-2.el7_7.2",
    "ghostscript-doc-9.25-2.el7_7.2",
    "ghostscript-gtk-9.25-2.el7_7.2",
    "libgs-9.25-2.el7_7.2",
    "libgs-devel-9.25-2.el7_7.2"
  ],
  "CGSL MAIN 5.05": [
    "ghostscript-9.25-2.el7_7.2",
    "ghostscript-cups-9.25-2.el7_7.2",
    "ghostscript-debuginfo-9.25-2.el7_7.2",
    "ghostscript-doc-9.25-2.el7_7.2",
    "ghostscript-gtk-9.25-2.el7_7.2",
    "libgs-9.25-2.el7_7.2",
    "libgs-devel-9.25-2.el7_7.2"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript");
}

Related

nessus 60
oraclelinux 5
openvas 34
osv 10
archlinux 1
freebsd 1
redhat 8
debian 8
ubuntu 2
fedora 10
centos 3
mageia 2
gentoo 1
prion 7
ubuntucve 7
debiancve 7
cve 7
suse 4
veracode 7
redhatcve 7
alpinelinux 5
myhack58 1
symantec 1
amazon 1
nessus
nessus
NewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0203)
2019-10-15 00:00:00
EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2151)
2019-11-12 00:00:00
Oracle Linux 8 : ghostscript (ELSA-2019-2591)
2019-09-09 00:00:00
oraclelinux
oraclelinux
ghostscript security update
2019-09-02 00:00:00
ghostscript security update
2019-09-06 00:00:00
ghostscript security update
2019-08-16 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for ghostscript (EulerOS-SA-2019-2151)
2020-01-23 00:00:00
Debian Security Advisory DSA 4518-1 (ghostscript - security update)
2019-09-10 00:00:00
Huawei EulerOS: Security Advisory for ghostscript (EulerOS-SA-2020-1348)
2020-04-01 00:00:00
osv
osv
ghostscript - security update
2019-09-07 00:00:00
ghostscript - security update
2019-09-09 00:00:00
ghostscript - security update
2019-08-13 00:00:00
archlinux
archlinux
[ASA-201911-5] ghostscript: sandbox escape
2019-11-03 00:00:00
freebsd
freebsd
Ghostscript -- Security bypass vulnerabilities
2019-08-20 00:00:00
redhat
redhat
(RHSA-2019:2586) Important: ghostscript security update
2019-09-02 07:04:45
(RHSA-2019:2591) Important: ghostscript security update
2019-09-02 07:36:36
(RHSA-2019:2534) Important: Red Hat 3scale API Management 2.6.0 release and security update
2019-08-21 11:27:32
debian
debian
[SECURITY] [DLA 1915-1] ghostscript security update
2019-09-09 12:08:44
[SECURITY] [DSA 4518-1] ghostscript security update
2019-09-07 15:42:39
[SECURITY] [DSA 4518-1] ghostscript security update
2019-09-07 15:42:39
ubuntu
ubuntu
Ghostscript vulnerabilities
2019-08-29 00:00:00
Ghostscript vulnerability
2019-08-12 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: ghostscript-9.27-2.fc30
2019-11-18 01:19:29
[SECURITY] Fedora 30 Update: ghostscript-9.27-1.fc30
2019-09-25 01:09:18
[SECURITY] Fedora 31 Update: ghostscript-9.27-1.fc31
2019-09-22 01:23:29
centos
centos
ghostscript, libgs security update
2019-09-18 18:44:20
ghostscript, libgs security update
2019-08-30 02:53:03
ghostscript security update
2017-01-04 10:39:19
mageia
mageia
Updated ghostscript packages fix security vulnerabilities
2019-09-12 22:09:52
Updated ghostscript packages fix security vulnerability
2019-08-31 16:22:36
gentoo
gentoo
GPL Ghostscript: Multiple vulnerabilities
2020-04-01 00:00:00
prion
prion
Command injection
2018-06-01 12:29:00
Authentication flaw
2019-11-27 13:15:00
Command injection
2019-09-03 16:15:00
ubuntucve
ubuntucve
CVE-2018-11645
2018-06-01 00:00:00
CVE-2019-10216
2019-08-12 00:00:00
CVE-2019-14817
2019-08-28 00:00:00
debiancve
debiancve
CVE-2018-11645
2018-06-01 12:29:00
CVE-2019-10216
2019-11-27 13:15:00
CVE-2019-14813
2019-09-06 14:15:00
cve
cve
CVE-2018-11645
2018-06-01 12:29:00
CVE-2019-14817
2019-09-03 16:15:00
CVE-2019-10216
2019-11-27 13:15:00
suse
suse
Security update for ghostscript (important)
2019-09-30 00:00:00
Security update for ghostscript (important)
2019-09-30 00:00:00
Security update for ghostscript (moderate)
2019-09-16 00:00:00
veracode
veracode
Information Disclosure
2019-08-08 00:07:32
Safer Restriction Bypass
2019-09-03 00:20:39
Privilege Escalation
2019-08-13 00:29:28
redhatcve
redhatcve
CVE-2018-11645
2018-06-05 08:01:33
CVE-2019-14817
2019-10-08 11:42:02
CVE-2016-7977
2016-10-06 08:47:36
alpinelinux
alpinelinux
CVE-2019-14817
2019-09-03 16:15:00
CVE-2019-10216
2019-11-27 13:15:00
CVE-2019-14813
2019-09-06 14:15:00
myhack58
myhack58
CVE-2019-10216: ghostscript sandbox bypasses command execution vulnerability alerts-a vulnerability alert-the black bar safety net
2019-08-13 00:00:00
symantec
symantec
Artifex Ghostscript CVE-2019-14812 Remote Privilege Escalation Vulnerability
2019-08-20 00:00:00
amazon
amazon
Important: ghostscript
2021-02-17 00:58:00
JSON
Related for NEWSTART_CGSL_NS-SA-2019-0250_GHOSTSCRIPT.NASL
nessus60oraclelinux5openvas34osv10archlinux1freebsd1redhat8debian8ubuntu2fedora10centos3mageia2gentoo1prion7ubuntucve7debiancve7cve7suse4veracode7redhatcve7alpinelinux5myhack581symantec1amazon1