A zero-day remote code execution flaw has been found in ImageMagick, an image processing library that allows image uploads from untrusted users (site visitors) and is widely used by web services (social media, blogging sites, etc.).
The flaw (CVE-2016–3714) is extremely easy to take advantage of – a booby-trapped image file that carries the exploit that will force the ImageMagick software to run malicious code on the server will do the trick. What’s more, it is already being exploited in attacks in the wild.
The vulnerability was discovered by security researcher Nikolay Ermishkin from the Mail.Ru Security Team. The ImageMagick development team was notified and pushed out a quick fix, but it was discovered to be incomplete.
Security researcher Ryan Huber stepped in to offer more details about the scope of the bug and to offer mitigation until the ImageMagick team comes up with a definitive patch (scheduled for the weekend).
He advises web admins to:
- Verify that all image files begin with the expected “magic bytes” corresponding to the image file types they support before sending them to ImageMagick for processing, and
- Add code to ImageMagick configuration files that will disable vulnerable coders (here’s a helpful example).
If they can’t do any of this, they should make image uploading temporarily impossible.
The above mitigations will stop the exploit samples that are already being used, but Huber doesn’t promise that they will eliminate all attack vectors.
The ball is now in the ImageMagick team’s court. Once the complete fix is released, web admins will be urged to update the library as soon as possible.
“Any service, which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue,” Karim Valiev of the Mail.Ru Security Team pointed out.
Working PoC exploits have already been published by the Mail.Ru Security Team and security researcher Dan Tentler.
UPDATE: ImageMagick version 6.9.3-10 and 7.0.1-1 have been released to address these issues.