ImageMagick bug puts countless websites at risk of hijacking


From ImageMagick forum:

We have recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system.

These vulnerabilities will be addressed in versions 7.0.1–1 and 6.9.3–10, which are due to be released by the weekend.

The remote-code execution flaw (CVE-2016–3714) already has a name, logo and website: ImageTragick.


How to mitigate?

If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):

  1. Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
  2. Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
</policymap>

More technical info on ImageTragick Website.

Comments