ISN 2023-13: IGEL OS Ghostscript Vulnerability

First published 24 July 2023

CVSS 3.1: 7.8 (High)

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A vulnerability has been discovered in Ghostscript, a Postscript and PDF library used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

A security issue rated high has been found in Ghostscript (CVE-2023-36664). The software mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Abusing this, an attacker can achieve command execution with malformed documents that are processed by Ghostscript, e.g. Postscript, PDF and EPS files.

Mitigation

• General: Until this issue is fixed, print and view only documents from trustworthy sources.
• OS 11: If local printing from IGEL OS is not needed, you can remove Ghostscript from the system using a UMS profile:
  1. In Setup, go to System > Firmware Customization > Features.
     
     
  2. Disable the entries for Printing (Internet Printing Protocol CUPS), PrinterLogic, and NoMachine NX.
     
     
  3. Apply and Save the changes.
     
     
  4. Reboot the devices.

Update Instructions

• OS 12: Update the IGEL OS Base System app to version 12.02.100 (available in September 2023)
• OS 11: Update to IGEL OS 11.09.100 (available in September 2023)

References

• CVE-2023-36664 at NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36664
• Kroll: Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability: https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability