Executive Summary

Summary
Title ImageMagick does not properly validate input before processing images using a delegate
Informations
Name VU#250519 First vendor Publication 2016-05-04
Vendor VU-CERT Last vendor Modification 2016-05-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#250519

ImageMagick does not properly validate input before processing images using a delegate

Original Release date: 04 May 2016 | Last revised: 04 May 2016

Overview

ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as "ImageTragick".

Description

CWE-20: Improper Input Validation - CVE-2016-3714

According to the researchers in a mailing list post:

    Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats.

    ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection.

By causing a system to process an image with ImageMagick, an attacker may be able to execute arbitrary commands on a vulnerable system. A common vulnerable configuration would be a web server that allows image uploads that are subsequently processed with ImageMagick.

Exploit code for this vulnerability is publicly available, and according to the ImageTragick website, this vulnerability is already being exploited in the wild.

Impact

An unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick.

Solution

Apply an Update

ImageMagick version 6.9.3-10 and 7.0.1-1 have been released to address these issues. Affected users should update to the latest version of ImageMagick as soon as possible.

However, affected users may also apply the following mitigations:

Verify Files and Disable Vulnerable Filters

The researchers suggest that this vulnerability may be mitigated by doing the following:

1. Verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them to ImageMagick for processing.
2. Use a policy file to disable the vulnerable ImageMagick coders.

For more details, please see https://imagetragick.com/

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Arch LinuxAffected-04 May 2016
CentOSAffected-04 May 2016
Debian GNU/LinuxAffected-04 May 2016
Fedora ProjectAffected-04 May 2016
Gentoo LinuxAffected-04 May 2016
ImageMagickAffected-04 May 2016
openSUSE projectAffected-04 May 2016
Red Hat, Inc.Affected-04 May 2016
Slackware Linux Inc.Affected-04 May 2016
SUSE LinuxAffected-04 May 2016
TurbolinuxAffected-04 May 2016
UbuntuAffected-04 May 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal7.3E:POC/RL:OF/RC:C
Environmental7.3CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://imagetragick.com/
  • https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
  • http://www.openwall.com/lists/oss-security/2016/05/03/18

Credit

The ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-3714
  • Date Public:03 May 2016
  • Date First Published:04 May 2016
  • Date Last Updated:04 May 2016
  • Document Revision:20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/250519

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 516
Os 4
Os 2
Os 1
Os 1
Os 1

Snort® IPS/IDS

Date Description
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39006 - Revision : 3 - Type : FILE-IMAGE
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39005 - Revision : 3 - Type : FILE-IMAGE
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39004 - Revision : 3 - Type : FILE-IMAGE
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39003 - Revision : 3 - Type : FILE-IMAGE
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39002 - Revision : 3 - Type : FILE-IMAGE
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39001 - Revision : 3 - Type : FILE-IMAGE
2016-06-22 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 39000 - Revision : 3 - Type : FILE-IMAGE
2016-06-17 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38948 - Revision : 4 - Type : FILE-IMAGE
2016-06-17 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38947 - Revision : 4 - Type : FILE-IMAGE
2016-06-17 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38946 - Revision : 4 - Type : FILE-IMAGE
2016-06-17 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38945 - Revision : 4 - Type : FILE-IMAGE
2016-06-14 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38871 - Revision : 5 - Type : FILE-IMAGE
2016-06-07 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38744 - Revision : 7 - Type : FILE-IMAGE
2016-06-07 ImageMagick WWWDecodeDelegate command injection attempt
RuleID : 38743 - Revision : 6 - Type : FILE-IMAGE

Nessus® Vulnerability Scanner

Date Description
2017-05-01 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2016-1021.nasl - Type : ACT_GATHER_INFO
2016-12-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3746.nasl - Type : ACT_GATHER_INFO
2016-05-24 Name : The remote Debian host is missing a security update.
File : debian_DLA-484.nasl - Type : ACT_GATHER_INFO
2016-05-23 Name : The remote Debian host is missing a security update.
File : debian_DLA-486.nasl - Type : ACT_GATHER_INFO
2016-05-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3580.nasl - Type : ACT_GATHER_INFO
2016-05-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-699.nasl - Type : ACT_GATHER_INFO
2016-05-12 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL03151140.nasl - Type : ACT_GATHER_INFO
2016-05-12 Name : The PHP application running on the remote web server is affected by multiple ...
File : wordpress_4_5_2.nasl - Type : ACT_GATHER_INFO
2016-05-11 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-0726.nasl - Type : ACT_GATHER_INFO
2016-05-09 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_0d724b05687f45279c03af34d3b094ec.nasl - Type : ACT_GATHER_INFO
2016-05-04 Name : The remote Windows host has an application installed that is affected by mult...
File : imagemagick_7_0_1_1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2016-05-13 13:29:30
  • Multiple Updates
2016-05-07 05:38:36
  • Multiple Updates
2016-05-06 00:36:27
  • Multiple Updates
2016-05-05 00:25:17
  • First insertion