A remote code execution vulnerability in the Ghostscript document conversion toolkit, widely used on Linux systems, is currently being exploited in attacks.

Ghostscript comes pre-installed on many Linux distributions and is used by various document conversion software, including ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system.

Tracked as CVE-2024-29510, this format string vulnerability impacts all Ghostscript 10.03.0 and earlier installations. It enables attackers to escape the -dSAFER sandbox (enabled by default) because unpatched Ghostscript versions fail to prevent changes to uniprint device argument strings after the sandbox is activated.

This security bypass is especially dangerous as it allows them to perform high-risk operations, such as command execution and file I/O, using the Ghostscript Postscript interpreter, which the sandbox would usually block.

“This vulnerability has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood,” warned Codean Labs security researchers who discovered and reported the security vulnerability.

“We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version.”

Codean Labs has also shared this Postscript file that can help defenders detect if their systems are vulnerable to CVE-2023-36664 attacks by running it with the following command:

ghostscript -q -dNODISPLAY -dBATCH CVE-2024-29510_testkit.ps

Actively exploited in attacks

While the Ghostscript development team patched the security flaw in May, Codean Labs published a write-up with technical details and proof-of-concept exploit code two months later.

Attackers are already exploiting the CVE-2024-29510 Ghostscript vulnerability in the wild, using EPS (PostScript) files camouflaged as JPG (image) files to get shell access to vulnerable systems.

“If you have ghostscript *anywhere* in your production services, you are probably vulnerable to a shockingly trivial remote shell execution, and you should upgrade it or remove it from your production systems,” developer Bill Mill warned.

“The best mitigation against this vulnerability is to update your installation of Ghostscript to v10.03.1. If your distribution does not provide the latest Ghostscript version, it might still have released a patch version containing a fix for this vulnerability (e.g., Debian, Ubuntu, Fedora),” Codean Labs added.

One year ago, the Ghostscript developers patched another critical RCE flaw (CVE-2023-36664) also triggered by opening maliciously crafted files on unpatched systems.