CVE-2019-14817

Vulnerability

A flaw in Ghostscript versions prior to 9.50 allows specially crafted PostScript files to bypass the -dSAFER security restrictions [3]. The vulnerability resides in the .pdfexectoken procedure and other internal procedures that improperly handle privileged calls, exposing .forceput operators on the stack [3]. An attacker can exploit this to disable SAFER and gain unrestricted access to the file system or execute arbitrary commands [3]. All Ghostscript versions up to and including 9.27 are affected [3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious PostScript file that invokes the .pdfexectoken procedure or similar routines, leveraging exposed .forceput operators to disable SAFER protections [3]. No authentication or special privileges are required; the attacker only needs to convince a user or automated process to process the malicious file with a vulnerable version of Ghostscript [3]. Once SAFER is disabled, the attacker can then execute arbitrary file operations or system commands [3].

Impact

Successful exploitation results in a complete compromise of confidentiality, integrity, and availability. An attacker can read, write, or delete arbitrary files on the system, and execute arbitrary commands with the privileges of the Ghostscript process [3]. This effectively bypasses the sandbox protections intended to restrict untrusted PostScript code [3].

Mitigation

A fix was released in Ghostscript version 9.50 [1][2][3]. Users should update to Ghostscript 9.50 or later. Red Hat has released updates for OpenShift Container Platform (RHBA-2019:2824 and RHSA-2019:2594) that include the patched Ghostscript [1][2]. Fedora package announcements have also been issued [4]. If updating is not immediately possible, avoid processing untrusted PostScript or PDF files with vulnerable Ghostscript versions.