Think you have a false positive on this rule?

Sid 1-47882

Message

FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt

Summary

This event is generated when malicious postscript is attempts to perform command injection in Ghostscripts

Impact

Attempted Administrator Privilege Gain

CVE-2018-16509:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2018-16509: An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.

Affected systems

  • artifex ghostscript 8_64
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 18.04
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • redhat enterpriselinuxdesktop 7.0
  • redhat enterpriselinuxserver 7.0
  • redhat enterpriselinuxserver_eus 7.5
  • redhat enterpriselinuxworkstation 7.0

Ease of attack

CVE-2018-16509:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References