In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact.

According to its self-reported version, the version of Pulse Connect Secure running on the remote host is affected by multiple vulnerabilities.

   - An arbitrary file read vulnerability exists in PCS. An      unauthenticated, remote attacker can exploit this, via specially      crafted URI, to read arbitrary files and disclose sensitive      information. (CVE-2019-11510)

   - Multiple vulnerabilities are found in Ghostscript.(CVE-2018-16513      , CVE-2018-18284, CVE-2018-15911, CVE-2018-15910, CVE-2018-15909)

   - A session hijacking vulnerability exists in PCS. An      unauthenticated, remote attacker can exploit this, to perform      actions in the user or administrator interface with the      privileges of another user. (CVE-2019-11540)

   - An authentication leaks seen in users using SAML authentication      with the reuse existing NC (Pulse) session option.
     (CVE-2019-11541)

   - Multiple vulnerabilities found in the admin web interface of PCS.
     (CVE-2019-11543, CVE-2019-11542, CVE-2019-11509, CVE-2019-11539)

   - Multiple vulnerabilities found in Network File Share (NFS) of PCS      , allows the attacker to read/write arbitrary files on the      affected device. (CVE-2019-11538, CVE-2019-11508)

   - A cross-site scripting (XSS) vulnerability exists in application      launcher page due to improper validation of user-supplied input      before returning it to users. An attacker can exploit this, by      convincing a user to click a specially crafted URL, to execute      arbitrary script code in a user's browser session.
     (CVE-2019-11507)

Refer to the vendor advisory for additional information.

This update for ghostscript to version 9.25 fixes the following issues :

These security issues were fixed :

  - CVE-2018-17183: Remote attackers were be able to supply     crafted PostScript to potentially overwrite or replace     error handlers to inject code (bsc#1109105)

  - CVE-2018-15909: Prevent type confusion using the .shfill     operator that could have been used by attackers able to     supply crafted PostScript files to crash the interpreter     or potentially execute code (bsc#1106172).

  - CVE-2018-15908: Prevent attackers that are able to     supply malicious PostScript files to bypass .tempfile     restrictions and write files (bsc#1106171).

  - CVE-2018-15910: Prevent a type confusion in the     LockDistillerParams parameter that could have been used     to crash the interpreter or execute code (bsc#1106173).

  - CVE-2018-15911: Prevent use uninitialized memory access     in the aesdecode operator that could have been used to     crash the interpreter or potentially execute code     (bsc#1106195).

  - CVE-2018-16513: Prevent a type confusion in the setcolor     function that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107412).

  - CVE-2018-16509: Incorrect 'restoration of privilege'     checking during handling of /invalidaccess exceptions     could be have been used by attackers able to supply     crafted PostScript to execute code using the 'pipe'     instruction (bsc#1107410).

  - CVE-2018-16510: Incorrect exec stack handling in the     'CS' and 'SC' PDF primitives could have been used by     remote attackers able to supply crafted PDFs to crash     the interpreter or possibly have unspecified other     impact (bsc#1107411).

  - CVE-2018-16542: Prevent attackers able to supply crafted     PostScript files from using insufficient interpreter     stack-size checking during error handling to crash the     interpreter (bsc#1107413).

  - CVE-2018-16541: Prevent attackers able to supply crafted     PostScript files from using incorrect free logic in     pagedevice replacement to crash the interpreter     (bsc#1107421).

  - CVE-2018-16540: Prevent use-after-free in copydevice     handling that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107420).

  - CVE-2018-16539: Prevent attackers able to supply crafted     PostScript files from using incorrect access checking in     temp file handling to disclose contents of files on the     system otherwise not readable (bsc#1107422).

  - CVE-2018-16543: gssetresolution and gsgetresolution     allowed attackers to have an unspecified impact     (bsc#1107423).

  - CVE-2018-16511: A type confusion in 'ztype' could have     been used by remote attackers able to supply crafted     PostScript to crash the interpreter or possibly have     unspecified other impact (bsc#1107426).

  - CVE-2018-16585: The .setdistillerkeys PostScript command     was accepted even though it is not intended for use     during document processing (e.g., after the startup     phase). This lead to memory corruption, allowing remote     attackers able to supply crafted PostScript to crash the     interpreter or possibly have unspecified other impact     (bsc#1107581).

  - CVE-2018-16802: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling could have been used by attackers able to     supply crafted PostScript to execute code using the     'pipe' instruction. This is due to an incomplete fix for     CVE-2018-16509 (bsc#1108027).

These non-security issues were fixed :

  - Fixes problems with argument handling, some unintended     results of the security fixes to the SAFER file access     restrictions (specifically accessing ICC profile files).

  - Avoid that ps2epsi fails with 'Error: /undefined in
    --setpagedevice--'

For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm

This update was imported from the SUSE:SLE-15:Update update project.

This update for ghostscript to version 9.25 fixes the following issues :

These security issues were fixed :

CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105)

CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172).

CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171).

CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173).

CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195).

CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412).

CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410).

CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411).

CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413).

CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421).

CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420).

CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422).

CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423).

CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426).

CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581).

CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201811-12 (GPL Ghostscript: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in GPL Ghostscript. Please       review the CVE identifiers referenced below for additional information.
  Impact :

    A context-dependent attacker could entice a user to open a specially       crafted PostScript file or PDF document using GPL Ghostscript possibly       resulting in the execution of arbitrary code with the privileges of the       process, a Denial of Service condition, or other unspecified impacts,   Workaround :

    There is no known workaround at this time.

This update for ghostscript-library fixes the following issues :

CVE-2018-16511: A type confusion in 'ztype' could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. (bsc#1107426)

CVE-2018-16540: Attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. (bsc#1107420)

CVE-2018-16541: Attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. (bsc#1107421)

CVE-2018-16542: Attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter. (bsc#1107413)

CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. (bsc#1107410

CVE-2018-16513: Attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. (bsc#1107412)

CVE-2018-15910: Attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. (bsc#1106173)

CVE-2017-9611: The Ins_MIRP function allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. (bsc#1050893)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15909)

An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in 'ztype' could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.(CVE-2018-16511)

An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.(CVE-2018-16585)

It was discovered that the ghostscript PDF14 compositor did not properly handle the copying of a device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16540)

It was discovered that the ghostscript device cleanup did not properly handle devices replaced with a null device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16541)

It was discovered that the ghostscript did not properly restrict access to files open prior to enabling the -dSAFER mode. An attacker could possibly exploit this to bypass the -dSAFER protection and disclose the content of affected files via a specially crafted PostScript document.(CVE-2018-16539)

An issue was discovered in Artifex Ghostscript before 9.25. Incorrect 'restoration of privilege' checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 .(CVE-2018-16802)

It was discovered that ghostscript did not properly handle certain stack overflow error conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16542)

Ghostscript did not honor the -dSAFER option when executing the 'status' instruction, which can be used to retrieve information such as a file's existence and size. A specially crafted postscript document could use this flow to gain information on the targeted system's filesystem content.(CVE-2018-11645)

It was discovered that the ghostscript did not properly validate the operands passed to the setcolor function. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16513)

It was discovered that the type of the LockDistillerParams parameter is not properly verified. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15910)

It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document.(CVE-2018-16509)

It was discovered that ghostscript did not properly verify the key used in aesdecode. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15911)

It was discovered that the ghostscript .tempfile function did not properly handle file permissions. An attacker could possibly exploit this to exploit this to bypass the -dSAFER protection and delete files or disclose their content via a specially crafted PostScript document.(CVE-2018-15908)

This update for ghostscript to version 9.25 fixes the following issues :

These security issues were fixed :

  - CVE-2018-17183: Remote attackers were be able to supply     crafted PostScript to potentially overwrite or replace     error handlers to inject code (bsc#1109105)

  - CVE-2018-15909: Prevent type confusion using the .shfill     operator that could have been used by attackers able to     supply crafted PostScript files to crash the interpreter     or potentially execute code (bsc#1106172).

  - CVE-2018-15908: Prevent attackers that are able to     supply malicious PostScript files to bypass .tempfile     restrictions and write files (bsc#1106171).

  - CVE-2018-15910: Prevent a type confusion in the     LockDistillerParams parameter that could have been used     to crash the interpreter or execute code (bsc#1106173).

  - CVE-2018-15911: Prevent use uninitialized memory access     in the aesdecode operator that could have been used to     crash the interpreter or potentially execute code     (bsc#1106195).

  - CVE-2018-16513: Prevent a type confusion in the setcolor     function that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107412).

  - CVE-2018-16509: Incorrect 'restoration of privilege'     checking during handling of /invalidaccess exceptions     could be have been used by attackers able to supply     crafted PostScript to execute code using the 'pipe'     instruction (bsc#1107410).

  - CVE-2018-16510: Incorrect exec stack handling in the     'CS' and 'SC' PDF primitives could have been used by     remote attackers able to supply crafted PDFs to crash     the interpreter or possibly have unspecified other     impact (bsc#1107411).

  - CVE-2018-16542: Prevent attackers able to supply crafted     PostScript files from using insufficient interpreter     stack-size checking during error handling to crash the     interpreter (bsc#1107413).

  - CVE-2018-16541: Prevent attackers able to supply crafted     PostScript files from using incorrect free logic in     pagedevice replacement to crash the interpreter     (bsc#1107421).

  - CVE-2018-16540: Prevent use-after-free in copydevice     handling that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107420).

  - CVE-2018-16539: Prevent attackers able to supply crafted     PostScript files from using incorrect access checking in     temp file handling to disclose contents of files on the     system otherwise not readable (bsc#1107422).

  - CVE-2018-16543: gssetresolution and gsgetresolution     allowed attackers to have an unspecified impact     (bsc#1107423).

  - CVE-2018-16511: A type confusion in 'ztype' could have     been used by remote attackers able to supply crafted     PostScript to crash the interpreter or possibly have     unspecified other impact (bsc#1107426).

  - CVE-2018-16585: The .setdistillerkeys PostScript command     was accepted even though it is not intended for use     during document processing (e.g., after the startup     phase). This lead to memory corruption, allowing remote     attackers able to supply crafted PostScript to crash the     interpreter or possibly have unspecified other impact     (bsc#1107581).

  - CVE-2018-16802: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling could have been used by attackers able to     supply crafted PostScript to execute code using the     'pipe' instruction. This is due to an incomplete fix for     CVE-2018-16509 (bsc#1108027).

These non-security issues were fixed :

  - Fixes problems with argument handling, some unintended     results of the security fixes to the SAFER file access     restrictions (specifically accessing ICC profile files).

  - Avoid that ps2epsi fails with 'Error: /undefined in
    --setpagedevice--'

For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm and the changes file of the package. This update was imported from the SUSE:SLE-12:Update update project.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3768-1 advisory.

    Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were     tricked into processing a specially crafted file, a remote attacker could possibly use these issues to     access arbitrary files, execute arbitrary code, or cause a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For Debian 8 'Jessie', these problems have been fixed in version 9.06~dfsg-2+deb8u8.

We recommend that you upgrade your ghostscript packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Artifex Ghostscript installed on the remote Windows host is prior to 9.24. It is, therefore, affected by multiple vulnerabilities due to improperly handling PostScript data. A context-dependent attacker could cause a buffer overflow, potentially crashing the service.

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

ID	Name	Product	Family	Severity
124766	Pulse Connect Secure Multiple Vulnerabilities (SA44101)	Nessus	Misc.	critical
123326	openSUSE Security Update : ghostscript (openSUSE-2019-759)	Nessus	SuSE Local Security Checks	high
120116	SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2018:2976-1)	Nessus	SuSE Local Security Checks	high
119132	GLSA-201811-12 : GPL Ghostscript: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
118350	SUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2018:3330-1)	Nessus	SuSE Local Security Checks	high
118298	SUSE SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-2)	Nessus	SuSE Local Security Checks	high
118043	Amazon Linux 2 : ghostscript (ALAS-2018-1088)	Nessus	Amazon Linux Local Security Checks	high
117980	openSUSE Security Update : ghostscript (openSUSE-2018-1123)	Nessus	SuSE Local Security Checks	high
117979	openSUSE Security Update : ghostscript (openSUSE-2018-1122)	Nessus	SuSE Local Security Checks	high
117901	SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-1)	Nessus	SuSE Local Security Checks	high
117595	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Ghostscript vulnerabilities (USN-3768-1)	Nessus	Ubuntu Local Security Checks	high
117487	Debian DLA-1504-1 : ghostscript security update	Nessus	Debian Local Security Checks	high
117459	Artifex Ghostscript Multiple Vulnerabilities	Nessus	Windows	high
117369	Debian DSA-4288-1 : ghostscript - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2018-16513

high

Tenable Plugins

critical

high

high

critical

high

high

high

high

high

high

high

high

high

high