ImageTragick - ImageMagick Filtering Vulnerability - CVE-2016-3714
Was this information helpful?
A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate's command allows remote code execution during the conversion of several file formats.
Background Information
Imagemagick allows the processing of files with external libraries. This feature is called "delegate". It is implemented as a system() call with a command string ('command') from the config file delegates.xml with actual values for different parameters (input/output/filename, etc.). Because the %M parameter is insufficiently filtered, it is possible to inject shell commands. One of the default delegate commands uses the following to handle HTTPS requests:
"wget" -q -O "%o" "https:%M"
where %M is the actual link from the input. If wget or curl are installed, it is possible to pass the value "https://example.com" |ls "-la" and unexpectedly execute 'ls -la'.
Take Action
All Red Hat customers using ImageMagick are strongly recommended to apply mitigations to their systems pending released security Errata. Recommended mitigations are found under the Resolve tab.
Impacted Products
Red Hat Product Security has rated this issue as having a security impact of Important.
The following Red Hat Product versions are impacted:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat OpenShift Enterprise
Impact
Any customer using ImageMagick to process untrusted or third-party images is potentally impacted. Examples include auto-generated thumbnail code using ImageMagick or third party usage of ImageMagick to process images uploaded to your servers, which is often done using web applications that receive untrusted user input.Mitigation
Red Hat Enterprise Linux 6 & 7
As a workaround, the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL and TEXT commands within image files. In the <policymap> section, add the following lines:
<policymap> ... <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="LABEL" /> <policy domain="path" rights="none" pattern="@*" /> </policymap>
Red Hat Enterprise Linux 5
In the following folders:
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit package) or /usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package)
Rename the following files, mvg.so, msl.so, label.so. Example:
$ mv mvg.so mvg.so.bak $ mv msl.so msl.so.bak $ mv label.so label.so.bak
Additional Mitigation
Additionally, customers can modify third-party code using ImageMagick to verify the image's validity before passing it to ImageMagick to process.
Updates for Affected Products
| Product | Package | Advisory/Update |
|---|---|---|
| Red Hat Enterprise Linux 5 | ImageMagick | Will Not Fix |
| Red Hat Enterprise Linux 6 | ImageMagick | RHSA-2016-0726 |
| Red Hat Enterprise Linux 7 | ImageMagick | RHSA-2016-0726 |
Comments