ImageTragick - ImageMagick Filtering Vulnerability - CVE-2016-3714

Public Date: May 3, 2016, 16:55
Updated November 21, 2016, 07:26 - No translations currently exist.
Resolved Status
Important Impact

A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate's command allows remote code execution during the conversion of several file formats.

Background Information

Imagemagick allows the processing of files with external libraries. This feature is called "delegate". It is implemented as a system() call with a command string ('command') from the config file delegates.xml with actual values for different parameters (input/output/filename, etc.). Because the %M parameter is insufficiently filtered, it is possible to inject shell commands. One of the default delegate commands uses the following to handle HTTPS requests:

"wget" -q -O "%o" "https:%M"
							

where %M is the actual link from the input. If wget or curl are installed, it is possible to pass the value "https://example.com" |ls "-la" and unexpectedly execute 'ls -la'.

Take Action

All Red Hat customers using ImageMagick are strongly recommended to apply mitigations to their systems pending released security Errata. Recommended mitigations are found under the Resolve tab.

Impacted Products

Red Hat Product Security has rated this issue as having a security impact of Important.

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat OpenShift Enterprise

Impact

Any customer using ImageMagick to process untrusted or third-party images is potentally impacted. Examples include auto-generated thumbnail code using ImageMagick or third party usage of ImageMagick to process images uploaded to your servers, which is often done using web applications that receive untrusted user input.

Mitigation

Red Hat Enterprise Linux 6 & 7

As a workaround, the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL and TEXT commands within image files. In the <policymap> section, add the following lines:

<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
<policy domain="path" rights="none" pattern="@*" />
</policymap>
									

Red Hat Enterprise Linux 5

In the following folders:

/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit package)
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package)
										

Rename the following files, mvg.so, msl.so, label.so. Example:

$ mv mvg.so mvg.so.bak
$ mv msl.so msl.so.bak
$ mv label.so label.so.bak
											

Additional Mitigation

Additionally, customers can modify third-party code using ImageMagick to verify the image's validity before passing it to ImageMagick to process.

Updates for Affected Products

Product Package Advisory/Update
Red Hat Enterprise Linux 5 ImageMagick Will Not Fix
Red Hat Enterprise Linux 6 ImageMagick RHSA-2016-0726
Red Hat Enterprise Linux 7 ImageMagick RHSA-2016-0726

Comments