Ghost Script Vulnerabilities

Background

There have been numerous Ghost Script vulnerabilities identified over the years. Some PaperCut products use GhostScript as 3rd party libraries, and are then flagged as vulnerable when performing vulnerability scans.

The benefits of GhostTrap

If you’re using GhostTrap, then you have significant protection against GhostScript exploits.

Why? Back in 2012 the PaperCut engineering team discovered a number of bugs in GhostScript that could potentially lead to vulnerabilities, and these were reported to the GhostScript team at the time.  With our security focused mindset this worried us so we started a new open-source project called GhostTrap . GhostTrap brings best of breed sandboxing technology out of Google Chrome to protect against issues that may exist with the GhostScript code. All of PaperCut’s products and setup documentation for Windows platforms use GhostTrap, and we can confirm that we have reviewed recent exploits and checked that the sandboxing measures of GhostTrap offer the protection as expected.

In line with best practice we will continue to update GhostTrap in the future however NO urgent action is required. For organisations running Linux and macOS servers, if the inbuilt GhostScript is utilised, we recommend making sure the OS system updates are being applied.

For reference, GhostTrap versions use the following GhostScript libraries:

See the Ghost Trap release history page for more detail.

Ghost Script vulnerabilities

Where do I download the latest GhostTrap from?

Download GhostTrap (for Windows platforms) by following the instructions for the feature that you’re using GhostTrap with.

For example:

• Using a Mobility Print Server .
• Using the Print Archiving feature within PaperCut MF or NG.
• Using a locally hosted document processing server (OCR and other scan processing features).

Otherwise you can download the latest GhostTrap installer.exe directly, or head to the download section of the GhostTrap project page .

When would I be using GhostScript, without the protection of GhostTrap?

Because GhostTrap is Windows only, you may have installed GhostScript, without the protection of GhostTrap if you are:

• Running Mobility Print Server on macOS or Linux .
• Using the Print Archiving feature within PaperCut MF or NG, on macOS or Linux.

In these cases we highly recommend following your organization’s security best practices to ensure that the version installed is kept up to date. Some Linux distributions or package managers will allow you to install GhostScript as well as keeping it up to date automatically. 

Other products or features that use GhostTrap include:

• Locally hosted document processing server (OCR and other scan processing features).
• Edge Node (client software) used in PaperCut Hive and PaperCut Pocket .

Mobility Print - advanced configuration (not recommended)

Mobility Print versions 1.0.3461 or later (on Windows) use the latest GhostTrap based on Ghostscript 9.27 at this time. You can configure Mobility Print to use your chosen distribution of Ghostscript by following the steps below, however this is not recommended.

macOS and Linux

Ensure you’re using the latest version of Ghostscript available, which would have been installed as part of the Mobility Print setup steps.

Windows

If you already have GhostTrap installed as documented in the Mobility Print setup steps, then proceed with the following. Otherwise first install Ghost Trap and then continue with the instructions below:

You’ll need to install the latest Ghostscript version on top of the GhostTrap installation, and update the registry to use that newly installed version.

Note that following these steps means that you will be responsible for maintaining updates for Ghostscript and will also lose any protections from the Chromium sandboxing as discussed above.

1. Download the latest Ghostscript for Windows installer from here. This will install to, e.g., C:\Program Files\gs\gs9.55.0
2. Copy the GhostScript binary in the bin folder (gswin64c.exe) to gsc-trapped.exe. Note: make a copy so that you land up with both the original gswin64c.exe and the new copy named gsc-trapped.exe.
3. Head into the registry and find: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GhostTrap
4. Update InstallPath to: C:\Program Files\gs\gs9.55.0 (or wherever you installed the new Ghostscript binaries to)
5. Delete the folder C:\Program Files (x86)\GhostTrap (this removes the old Ghostscript files). Note: don’t uninstall GhostTrap, since this will remove the registry key required, as noted above.
6. Restart Mobility Print service and send a PostScript print job to test. Note: the Mobility Print logs will show if ps2pdf is found and working, e.g.:

2022/03/09 11:26:33 mobility-print.exe: STDOUT|SUPPORT: ps2pdf is found and is working: {"ps2pdf":"C:\\PROGRA~1\\gs\\GS955~1.0\\bin\\gsc-trapped.exe"} {"src":"ps2pdf.go:50"}

Product updates

In line with best practice we will look to update GhostTrap in the near future. If you have questions about the above or questions about the update, please contact us and mention this KB as well as reference [PO-351]. Thank you!