Multiple Vulnerabilities in ImageMagick (CVE-2016-3714)

May 5, 2016

Summary

Multiple Vulnerabilities have been discovered in ImageMagick, an open-source software library for displaying, converting, and editing a wide range of image types. Among other things, ImageMagick is used by many web services to handle images. The worst of the vulnerabilities discovered would allow remote code execution. Details of the vulnerable have been released by researches with Mail.Ru. [1]

Impact

Attackers may be able to execute arbitrary code remotely by exploiting this vulnerability. Additionally, they can move, delete and read files as well as perform Server Side Request Forgery attacks.

Vulnerable

  • ImageMagick 7.X prior to 7.0.1-1
  • ImageMagick 6.X prior to 6.9.3-10

Recommendations

  • If using ImageMagick 7.X install the latest binary release [2]
  • If using ImageMagick 6.X install the legacy binary release [3]
  • Use an ImageMagick Policy file to disable the coders EPHEMERAL, URL, MVG, and MSL [4]

References

[1] http://www.openwall.com/lists/oss-security/2016/05/03/18

[2] http://www.imagemagick.org/script/binary-releases.php

[3] http://legacy.imagemagick.org/script/binary-releases.php

[4] https://www.imagemagick.org/discourse-server/viewtopic.php?t=29588

[5] https://security.berkeley.edu/news/vulnerable-product-1.x-remote-code-execution