CVE-2023-43115
📋 TL;DR
This vulnerability in Artifex Ghostscript allows remote code execution via specially crafted PostScript documents. Attackers can bypass SAFER restrictions by switching to the IJS device or modifying IjsServer parameters after SAFER activation. Systems processing untrusted PostScript files with Ghostscript versions through 10.01.2 are affected.
💻 Affected Systems
- Artifex Ghostscript
- GhostPDL
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Ghostscript by Artifex
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Ghostscript process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution on systems processing malicious PostScript files, allowing attackers to execute arbitrary commands, install malware, or pivot to other systems.
If Mitigated
Limited impact if Ghostscript runs with minimal privileges, in sandboxed environments, or only processes trusted documents.
🎯 Exploit Status
Exploitation requires delivering a malicious PostScript document to a vulnerable system. The vulnerability bypasses SAFER restrictions that should prevent command execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.02.0 and later
Vendor Advisory: https://ghostscript.com/
Restart Required: No
Instructions:
1. Download Ghostscript 10.02.0 or later from https://ghostscript.com/releases/. 2. Follow installation instructions for your platform. 3. Replace existing Ghostscript binaries with patched versions. 4. Test document processing functionality.
🔧 Temporary Workarounds
Disable IJS device
allPrevent Ghostscript from using the IJS device by removing or restricting access to IJS-related configuration.
gs -dSAFER -dNODISPLAY -c 'quit' 2>&1 | grep -i ijs
Run with minimal privileges
linuxExecute Ghostscript with restricted user permissions to limit potential damage from exploitation.
sudo -u nobody gs [options]
🧯 If You Can't Patch
- Implement strict input validation to reject suspicious PostScript documents
- Run Ghostscript in containerized or sandboxed environments with network restrictions
🔍 How to Verify
Check if Vulnerable:
Check Ghostscript version: gs --version. If version is 10.01.2 or earlier, system is vulnerable.Check Version:
gs --versionVerify Fix Applied:
After patching, verify version is 10.02.0 or later: gs --version📡 Detection & Monitoring
Log Indicators:
- Unusual Ghostscript process spawning child processes
- IJS device activation in Ghostscript logs
- Multiple failed document processing attempts
Network Indicators:
- Unexpected outbound connections from Ghostscript processes
- Network traffic to unusual ports from document processing systems
SIEM Query:
process_name:"gs" AND (child_process_count > 2 OR command_line:"ijs")🔗 References
- https://bugs.ghostscript.com/show_bug.cgi?id=707051
- https://ghostscript.com/
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e59216049cac290fb437a04c4f41ea46826cfba5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IK3UXJ5HKMPAL5EQELJAWSRPA2AUOJJO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PG5AQV7JOL5TAU76FWPJCMSKO5DREKV5/
- https://bugs.ghostscript.com/show_bug.cgi?id=707051
- https://ghostscript.com/
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e59216049cac290fb437a04c4f41ea46826cfba5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IK3UXJ5HKMPAL5EQELJAWSRPA2AUOJJO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PG5AQV7JOL5TAU76FWPJCMSKO5DREKV5/
