Multiple Vulnerabilities in ImageMagick Products Could Allow Remote Code Execution

ITS Advisory Number: 
2016-081
Date(s) Issued: 
Wednesday, May 4, 2016
Subject: 
Multiple Vulnerabilities in ImageMagick Products Could Allow Remote Code Execution
Overview: 

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.  A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP's imagick, Ruby's rmagick and paperclip, and nodejs's imagemagick.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the bypassing of security restrictions. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • ImageMagick 7.0.0-1 and prior releases
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.  One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.  A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP's imagick, Ruby's rmagick and paperclip, and nodejs's imagemagick.

  • A vulnerability in ImageMagick reported today allows booby-trapped image uploads to trick the ImageMagick software into running commands instead, leading to what's known as a remote code execution (RCE) bug (CVE-2016-3714).

Certain coders include possible remote code execution and ability to render files on the local system. To prevent these possible exploits, simply add the following to your policy.xml file;

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />

For HTTPS, you can also remove support by deleting it from the delegates.xml configuration file.

These coders in ImageMagick 7.0.1-1 and 6.9.3-10 (available by this weekend) are secured by sanitizing the HTTPS parameters and preventing indirect reads with this policy:

<policy domain="path" rights="none" pattern="@*" />

If you require the HTTPS, MVG, or MSL coders, the above policy is sufficient to prevent exploits.

You can verify your policies with this command:

-> convert -list policy

Path: ImageMagick-7/policy.xml

Successful exploitation could result in an attacker gaining the same privileges as the logged on user, arbitrary code execution within the context of the application, or the ability to bypass the security system. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • If you have a hosted website or blog, ask your hosting provider if they use ImageMagick.
  • Patch ImageMagick as soon as patch becomes available and after appropriate testing.
  • In the meantime, apply ImageMagick's suggested workaround by editing ImageMagick's policy.xml file. 
  • Sanitize images before they're processed by ImageMagick or disable all formats except the ones needed. Verify that images start with the correct "magic bytes" or signatures, before being passed to ImageMagick for processing.
  • Run all software as a non-privileged user to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from untrusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.