CVE-2017-8291 : Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command

Products affected by CVE-2017-8291

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
Matching versions
Artifex » Ghostscript
Versions before (<) 9.21
cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*
Matching versions

CVE-2017-8291 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Artifex Ghostscript Type Confusion Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Artifex Ghostscript allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2017-8291

Added on 2022-05-24 Action due date 2022-06-14

Exploit prediction scoring system (EPSS) score for CVE-2017-8291

EPSS FAQ

92.68%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2017-8291

Ghostscript Type Confusion Arbitrary Command Execution

Disclosure Date: 2017-04-27

First seen: 2020-04-26

exploit/unix/fileformat/ghostscript_type_confusion

This module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow.

More information

CVSS scores for CVE-2017-8291

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-04
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2024-07-02
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-8291

CWE-704 Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

Assigned by: nvd@nist.gov (Primary)
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2017-8291

http://www.securityfocus.com/bid/98476

Ghostscript CVE-2017-8291 Multiple Remote Code Execution Vulnerabilities
Broken Link;Third Party Advisory;VDB Entry
https://bugzilla.suse.com/show_bug.cgi?id=1036453

Bug 1036453 – VUL-0: CVE-2017-8291: ghostscript,ghostscript-library: Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remotecommand execution via a "/Ou...
Exploit;Issue Tracking;Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/201708-06

GPL Ghostscript: Multiple vulnerabilities (GLSA 201708-06) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://openwall.com/lists/oss-security/2017/04/28/2

oss-security - Re: CVE-2017-8291 ghostscript remote code execution
Mailing List;Patch;Third Party Advisory
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d

git.ghostscript.com Git - ghostpdl.git/commit
Patch;Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:1230

RHSA-2017:1230 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://www.exploit-db.com/exploits/41955/

Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)
Exploit;Third Party Advisory;VDB Entry
https://bugs.ghostscript.com/show_bug.cgi?id=697808

697808 – %pipe% security issue
Issue Tracking;Third Party Advisory;VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1446063

1446063 – (CVE-2017-8291) CVE-2017-8291 ghostscript: corruption of operand stack
Issue Tracking;Patch;Third Party Advisory;VDB Entry
http://www.debian.org/security/2017/dsa-3838

Debian -- Security Information -- DSA-3838-1 ghostscript
Mailing List;Third Party Advisory

CVEs referencing this url
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=04b37bbce174eed24edec7ad5b920eb93db4d47d

git.ghostscript.com Git
Broken Link

Vulnerability Details : CVE-2017-8291