Factions of cybersecurity experts are currently debating whether a now-patched vulnerability in the Ghostscript Postscript and Adobe PDF interpreter is no big deal or the next big breach enabler.
The flaw, designated CVE-2024-29510, is a format string bug that was provided a CVSS score of 5.5 by Tenable, which is considered medium. Tenable’s medium rating reflected its conclusion that CVE-2024-29510 was a local vulnerability that required user interaction and had no risk of impacting the integrity or availability of data, only confidentiality.
However, some researchers disagree with Tenable’s medium rating. They cite the existence of Proof-of-Concept (PoC) exploit code that could allow threat actors to bypass Ghostscript’s default sandbox and achieve remote code execution (RCE) without user interaction.
Additionally, many applications depend on Ghostscript to render preview images in cloud storage and chat programs, PDF conversion and printing, and optical character recognition (OCR) which translates into a significantly large attack surface. The researchers worry that the medium rating of the vulnerability will cause network defenders to put off or ultimately not bother patching it, leaving plenty of vulnerable systems for threat actors to target.
Source: The Register
Analysis
The debate regarding the potential impact of CVE-2024-29510 will likely continue until the National Vulnerability Database (NVD) releases its vulnerability assessment. As of today, NVD lists the vulnerability as ‘awaiting analysis’.
Media outlets are now reporting that CVE-2024-29510 is currently being exploited in the wild by threat actors using EPS (PostScript) files camouflaged as JPG (image) files to get shell access to vulnerable systems. Regardless of what the NVD’s rating turns out to be, organizations with any exposure to Ghostscript should update it or remove it as soon as possible.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities in software like Ghostscript. Field Effect MDR users were automatically notified if a vulnerable version of Ghostscript was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages organizations with exposure to affected versions of Ghostscript to update to a secure version as soon as possible.
Related Articles
