Critical Ghostscript Vulnerability Exposes Systems: Immediate Update Recommended
IT professionals and security-conscious users should take note of a critical vulnerability (CVE-2020-36773) found in older versions of Ghostscript, a software interpreter widely used for handling PostScript and PDF files. Successful exploitation of this flaw could enable attackers to execute arbitrary code or cause denial-of-service conditions.
Understanding the Impact
Ghostscript’s presence in numerous desktop applications and Linux distributions significantly broadens the potential attack surface. Due to its role in document rendering and printing processes, this vulnerability could be triggered by opening a specially crafted PDF or PostScript file with vulnerable software, such as:
- LibreOffice
- GIMP
- Inkscape
- ImageMagick
- CUPS printing system
Severity and Mitigation
The National Institute of Standards and Technology (NIST) has assigned CVE-2020-36773 a base score of 9.8 (out of 10) under the CVSS v3.1 system, classifying it as “Critical.”
“Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature),” reads the vulnerability description.
Fortunately, Artifex Software addressed this vulnerability in Ghostscript 9.53.0 and GhostPDL 9.53.0, released in September 2020. The latest version, Ghostscript 10.02.1 (November 2023), provides the most up-to-date protection.
Call to Action
Organizations and individuals should take the following steps immediately:
- Assess Systems: Identify systems and applications utilizing Ghostscript.
- Prioritize Updates: Promptly update all instances of Ghostscript to version 9.53.0 or later.
- Exercise Caution: Maintain heightened vigilance when handling PDF or PostScript files from untrusted sources.
- Patch Regularly: Adopt a continuous patching strategy to minimize exposure to future vulnerabilities.
