CVE-2019-14812

Vulnerability

A flaw exists in all Ghostscript versions 9.x before 9.50 [1]. The .setuserparams2 procedure does not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions [1]. When hooking errors, certain ephemeral routines in .setuserparams2 can expose the .forceput operator, which can be used to modify system parameters and disable security protections [2]. The vulnerable code path is reachable via setuserparams [2].

Exploitation

An attacker needs to provide a specially crafted PostScript file to a target using a vulnerable Ghostscript version [1]. The attacker must have a way to invoke Ghostscript with the malicious file, such as through a service that processes uploaded files or email attachments. No authentication or special network position is required beyond the ability to upload or deliver the PostScript file. The exploit sequence involves triggering .setuserparams2 via setuserparams, which then exposes .forceput to disable -dSAFER and then access the file system or execute arbitrary commands [2].

Impact

Successful exploitation allows an attacker to bypass -dSAFER restrictions, leading to access to the file system or arbitrary command execution [1]. The attacker gains the ability to read, write, or execute files outside the restricted area, potentially leading to full system compromise depending on the privileges of the Ghostscript process [1][2].

Mitigation

Upgrade to Ghostscript version 9.50 or later, which contains the fix [1][2]. The upstream fix can be found in commit 885444fcbe10dc42787ecb76686c8ee4dd33bf33 [2]. No workaround is available for unpatched versions. Red Hat also provides mitigation guidance in their advisory for CVE-2018-16509 [2].