CVE-2022-35649
📋 TL;DR
This critical Moodle vulnerability allows remote code execution through improper PostScript parsing in GhostScript. Attackers can exploit it to take complete control of vulnerable Moodle instances. Organizations running Moodle with GhostScript versions older than 9.50 are affected.
💻 Affected Systems
- Moodle
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, and pivot to other systems.
Likely Case
Remote code execution leading to data theft, defacement, or ransomware deployment on the Moodle server.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires uploading malicious PostScript files to Moodle. The vulnerability is in the parsing mechanism, making exploitation straightforward once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle versions with commit MDL-75044
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=436456
Restart Required: No
Instructions:
1. Update Moodle to the latest version containing the fix for MDL-75044. 2. Alternatively, update GhostScript to version 9.50 or newer. 3. Apply the patch from the Moodle git repository if manual patching is required.
🔧 Temporary Workarounds
Disable GhostScript in Moodle
allPrevent Moodle from using GhostScript for document processing
Edit Moodle config.php and set: $CFG->pathtogs = false;
Update GhostScript System Package
linuxUpdate GhostScript to version 9.50 or newer
sudo apt update && sudo apt upgrade ghostscript
sudo yum update ghostscript
🧯 If You Can't Patch
- Implement strict file upload restrictions to block PostScript files
- Deploy WAF rules to detect and block PostScript file uploads and suspicious parsing attempts
🔍 How to Verify
Check if Vulnerable:
Check GhostScript version: ghostscript --version. If version is older than 9.50 and Moodle uses GhostScript, the system is vulnerable.Check Version:
ghostscript --versionVerify Fix Applied:
Verify GhostScript version is 9.50+ and Moodle has been updated to include the MDL-75044 fix.📡 Detection & Monitoring
Log Indicators:
- Unusual PostScript file uploads to Moodle
- GhostScript process crashes or abnormal behavior
- Suspicious system commands executed from web server context
Network Indicators:
- POST requests with PostScript file uploads to Moodle endpoints
- Outbound connections from Moodle server to suspicious IPs
SIEM Query:
source="moodle_logs" AND (file_extension="ps" OR file_extension="eps" OR file_extension="ai")🔗 References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75044
- https://bugzilla.redhat.com/show_bug.cgi?id=2106273
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
- https://moodle.org/mod/forum/discuss.php?d=436456
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75044
- https://bugzilla.redhat.com/show_bug.cgi?id=2106273
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
- https://moodle.org/mod/forum/discuss.php?d=436456
