logo
DATABASE RESOURCES PRICING ABOUT US

ImageMagick does not properly validate input before processing images using a delegate

Description

### Overview ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as "ImageTragick". ### Description [**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-3714 According to the researchers in a mailing list [post](<http://www.openwall.com/lists/oss-security/2016/05/03/18>): _Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats._ _ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection._ By causing a system to process an image with ImageMagick, an attacker may be able to execute arbitrary commands on a vulnerable system. A common vulnerable configuration would be a web server that allows image uploads that are subsequently processed with ImageMagick. Exploit code for this vulnerability is publicly available, and according to the [ImageTragick](<https://imagetragick.com/>) website, this vulnerability is already being exploited in the wild. --- ### Impact An unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick. --- ### Solution **Apply an Update** ImageMagick version 6.9.3-10 and 7.0.1-1 have been released to address these issues. Affected users should update to the latest version of ImageMagick as soon as possible. However, affected users may also apply the following mitigations: --- **Verify Files and Disable Vulnerable Filters** The researchers suggest that this vulnerability may be mitigated by doing the following: 1\. Verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them to ImageMagick for processing. 2\. Use a policy file to disable the vulnerable ImageMagick coders. For more details, please see <https://imagetragick.com/> --- ### Vendor Information 250519 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Arch Linux Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### CentOS Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Debian GNU/Linux Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Fedora Project Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Gentoo Linux Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### ImageMagick Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Red Hat, Inc. Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### SUSE Linux Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Slackware Linux Inc. Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Turbolinux Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Ubuntu Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### openSUSE project Affected Updated: May 04, 2016 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. View all 12 vendors __View less vendors __ ### CVSS Metrics Group | Score | Vector ---|---|--- Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C Temporal | 7.3 | E:POC/RL:OF/RC:C Environmental | 7.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND ### References * <https://imagetragick.com/> * [https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588](<https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588>) * <http://www.openwall.com/lists/oss-security/2016/05/03/18> ### Acknowledgements The ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities. This document was written by Garret Wassermann. ### Other Information **CVE IDs:** | [CVE-2016-3714](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-3714>) ---|--- **Date Public:** | 2016-05-03 **Date First Published:** | 2016-05-04 **Date Last Updated: ** | 2016-05-04 21:14 UTC **Document Revision: ** | 21


Related