CVE-2018-15909

Vulnerability

A type confusion vulnerability exists in the .shfill operator in Artifex Ghostscript versions up to 9.23 before the 2018-08-24 patch [1]. The issue allows an attacker to craft a PostScript file that triggers a type confusion when the .shfill operator is executed, potentially leading to memory corruption. The vulnerability is present when Ghostscript processes untrusted PostScript data, including when used by applications such as ImageMagick, GraphicsMagick, evince, or Okular [2].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted PostScript file that uses the .shfill operator. No authentication is required, and the attack can be triggered remotely via actions as simple as downloading a file from a website or opening a malicious document [2]. Public exploit code exists for this vulnerability [2]. The attack can be carried out without requiring any special user interaction beyond opening the file.

Impact

Successful exploitation could lead to a crash (denial of service) or arbitrary code execution with the privileges of the Ghostscript process [1]. This allows an attacker to execute arbitrary commands with those privileges, potentially compromising the confidentiality, integrity, and availability of the system [2].

Mitigation

Artifex released a fix for this vulnerability on 2018-08-24 [1]. Red Hat Enterprise Linux 7 users should update to ghostscript-9.07-31.el7_6.1 [1]. Gentoo users should upgrade to ghostscript-gpl-9.26 [3]. There is no known workaround other than applying the patch or upgrading to a fixed version [3]. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.