CVE-2020-27605

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2020-27605 is a critical vulnerability in BigBlueButton that allows remote code execution through malicious EPS files. Attackers can exploit Ghostscript's weak sandbox to execute arbitrary code on the server. All BigBlueButton instances up to version 2.2.28 that process uploaded documents are affected.

💻 Affected Systems

Products:

• BigBlueButton

Versions: through 2.2.28

Operating Systems: All platforms running BigBlueButton

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when EPS file uploads are enabled (default configuration).

📦 What is this software?

Bigbluebutton by Bigbluebutton

View all CVEs affecting Bigbluebutton →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands, access sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, installation of backdoors, or disruption of BigBlueButton services.

🟢

If Mitigated

Limited impact if proper file upload restrictions and network segmentation are in place, though RCE risk remains.

🌐 Internet-Facing: HIGH - BigBlueButton is typically internet-facing for remote collaboration, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require internal network access for exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires uploading a malicious EPS file, which can be done by any user with upload permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.29 and later

Vendor Advisory: https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.29

Restart Required: Yes

Instructions:

1. Backup your BigBlueButton configuration and data. 2. Update to version 2.2.29 or later using your package manager. 3. Restart all BigBlueButton services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable EPS file uploads

all

Prevent processing of EPS files by disabling upload functionality for EPS documents.

Copy

Modify BigBlueButton configuration to reject EPS file uploads at the application level.

Update Ghostscript

linux

Update Ghostscript to a version with improved sandboxing if available.

Copy

apt-get update && apt-get upgrade ghostscript
yum update ghostscript

🧯 If You Can't Patch

• Implement strict network segmentation to isolate BigBlueButton servers from critical systems.
• Deploy web application firewall (WAF) rules to block EPS file uploads and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Copy

Check BigBlueButton version: if version is 2.2.28 or earlier, the system is vulnerable.

Check Version:

Copy

dpkg -l | grep bigbluebutton | grep -E '^ii' | awk '{print $3}'

Verify Fix Applied:

Copy

Verify BigBlueButton version is 2.2.29 or later and test that EPS file uploads are properly handled.

📡 Detection & Monitoring

Log Indicators:

• Unusual EPS file uploads
• Ghostscript process crashes or errors
• Suspicious command execution in system logs

Network Indicators:

• Unexpected outbound connections from BigBlueButton server
• Large EPS file uploads

SIEM Query:

Copy

source="bigbluebutton" AND (file_type="eps" OR process="ghostscript")

📊 Metadata

CVE ID: CVE-2020-27605

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: October 21, 2020

Last Updated: November 21, 2024

🔗 References

• https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html Exploit,Third Party Advisory
• https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html Exploit,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON