CVE-2023-46751 – A use-after-free vulnerability in Ghostscript's... (How to Fix)

Q: What is the severity of CVE-2023-46751?

CVE-2023-46751 has a CVSS score of 7.5 (HIGH). A use-after-free vulnerability in Ghostscript's gdev_prn_open_printer_seekable() function allows remote attackers to crash the application via a dangling pointer. This affects all systems running vulnerable versions of Ghostscript that process untrusted PostScript or PDF files. The vulnerability can be triggered by processing malicious documents.

📋 TL;DR

A use-after-free vulnerability in Ghostscript's gdev_prn_open_printer_seekable() function allows remote attackers to crash the application via a dangling pointer. This affects all systems running vulnerable versions of Ghostscript that process untrusted PostScript or PDF files. The vulnerability can be triggered by processing malicious documents.

💻 Affected Systems

Products:

Artifex Ghostscript

Versions: All versions through 10.02.0

Operating Systems: Linux, Windows, macOS, BSD, All Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using Ghostscript to process PostScript, PDF, or other supported formats is vulnerable. Common in document conversion services, print servers, and web applications.

📦 What is this software?

Ghostscript by Artifex

View all CVEs affecting Ghostscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, though this specific CVE primarily causes crashes.

🟠

Likely Case

Denial of service through application crashes when processing malicious documents, potentially disrupting document processing services.

🟢

If Mitigated

Limited to application crashes with proper sandboxing and input validation in place.

🌐 Internet-Facing: HIGH - Ghostscript is commonly used in web applications for document processing, making internet-facing systems vulnerable to remote attacks.

🏢 Internal Only: MEDIUM - Internal systems processing user-uploaded documents remain vulnerable to insider threats or compromised internal users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in bug reports. Exploitation requires sending a malicious document to be processed by Ghostscript.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.02.1 and later

Vendor Advisory: https://ghostscript.com/

Restart Required: Yes

Instructions:

1. Update Ghostscript to version 10.02.1 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade ghostscript). 3. For Windows: Download latest installer from ghostscript.com. 4. Restart all services using Ghostscript.

🔧 Temporary Workarounds

Disable Ghostscript processing

all

Temporarily disable Ghostscript-based document processing until patched

systemctl stop ghostscript-services
disable document conversion features in applications

Sandbox Ghostscript execution

linux

Run Ghostscript in a container or sandboxed environment

docker run --security-opt no-new-privileges ghostscript
Use SELinux/AppArmor policies

🧯 If You Can't Patch

Implement strict input validation for all document uploads
Isolate Ghostscript processes with minimal privileges and network access

🔍 How to Verify

Check if Vulnerable:

Run: gs --version | grep -q '10\.0[0-2]\.0' && echo 'VULNERABLE'

Check Version:

gs --version

Verify Fix Applied:

Run: gs --version | grep -q '10\.02\.1' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

Ghostscript crash logs
Segmentation fault errors in system logs
Abnormal process termination

Network Indicators:

Multiple failed document processing requests
Unusual document upload patterns

SIEM Query:

process_name:"gs" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2023-46751

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: December 6, 2023

Last Updated: November 21, 2024

🔗 References

https://bugs.ghostscript.com/show_bug.cgi?id=707264 Permissions Required
https://ghostscript.com/ Product
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=dcdbc595c13c9d11d235702dff46bb74c80f7698 Broken Link
https://www.debian.org/security/2023/dsa-5578
https://bugs.ghostscript.com/show_bug.cgi?id=707264 Permissions Required
https://ghostscript.com/ Product
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=dcdbc595c13c9d11d235702dff46bb74c80f7698 Broken Link
https://www.debian.org/security/2023/dsa-5578

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46751, you might also want to check these: