Detections
Analytics

Amazon Linux 2 : ghostscript (ALAS-2021-1598)

critical Nessus Plugin ID 146633

Language:

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of ghostscript installed on the remote host is prior to 9.25-5. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1598 advisory.

 Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183)

 Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix forCVE-2018-17183.
 (CVE-2018-17961)

 Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073)

 Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284)

 In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134)

 An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409)

 psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
 (CVE-2018-19475)

 psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476)

 psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477)

 A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
 (CVE-2019-14811)

 A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
 (CVE-2019-14812)

 A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
 (CVE-2019-14813)

 A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
 (CVE-2019-14817)

 A flaw was found in the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. (CVE-2019-14869)

 It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835)

 It was found that the forceput operator could be extracted from the DefineResource method. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838)

 It was found that some privileged operators remained accessible from various places after theCVE-2019-6116fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3839)

 It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.
 (CVE-2019-6116)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update ghostscript' to update your system.

See Also

https://access.redhat.com/security/cve/CVE-2019-3835

https://access.redhat.com/security/cve/CVE-2019-3838

https://access.redhat.com/security/cve/CVE-2019-3839

https://access.redhat.com/security/cve/CVE-2019-6116

https://alas.aws.amazon.com/AL2/ALAS-2021-1598.html

https://access.redhat.com/security/cve/CVE-2018-17183

https://access.redhat.com/security/cve/CVE-2018-17961

https://access.redhat.com/security/cve/CVE-2018-18073

https://access.redhat.com/security/cve/CVE-2018-18284

https://access.redhat.com/security/cve/CVE-2018-19134

https://access.redhat.com/security/cve/CVE-2018-19409

https://access.redhat.com/security/cve/CVE-2018-19475

https://access.redhat.com/security/cve/CVE-2018-19476

https://access.redhat.com/security/cve/CVE-2018-19477

https://access.redhat.com/security/cve/CVE-2019-14811

https://access.redhat.com/security/cve/CVE-2019-14812

https://access.redhat.com/security/cve/CVE-2019-14813

https://access.redhat.com/security/cve/CVE-2019-14817

https://access.redhat.com/security/cve/CVE-2019-14869

Plugin Details

Severity: Critical

ID: 146633

File Name: al2_ALAS-2021-1598.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2/19/2021

Updated: 12/11/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-14813

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:ghostscript-cups, p-cpe:/a:amazon:linux:libgs, p-cpe:/a:amazon:linux:ghostscript-doc, p-cpe:/a:amazon:linux:ghostscript-gtk, p-cpe:/a:amazon:linux:ghostscript, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:ghostscript-debuginfo, p-cpe:/a:amazon:linux:libgs-devel

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2021

Vulnerability Publication Date: 9/19/2018

Reference Information

CVE: CVE-2018-17183, CVE-2018-17961, CVE-2018-18073, CVE-2018-18284, CVE-2018-19134, CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817, CVE-2019-14869, CVE-2019-3835, CVE-2019-3838, CVE-2019-3839, CVE-2019-6116

BID: 105990, 106154, 106278, 106700, 107451, 107452, 107494, 107520, 107855, 108441

ALAS: 2021-1598