On Internet servers around the world, ImageMagick, a widely deployed technology for processing images for the Internet, is under attack via a vulnerability identified as CVE-2016-3714, a remote code execution issue that could enable an attacker to exploit an affected system.
The ImageMagick flaw, which is receiving the branded vulnerability treatment, is also known as ImageTragick. The initial flaw in ImageMagick was found by a security researcher known publicly only as “Stewie,” who has a track record of responsibly disclosing flaws by way of the HackerOne bug-bounty system. Security researcher Nikolay Ermishkin from the Mail.Ru Security Team is credited with finding additional issues including the remote code execution condition.
The ImageMagick project is already providing some guidance to help mitigate the remote code execution risk and plans on issuing a software update soon.
“The ImageMagick policy was developed many years ago to help prevent possible exploits and is discussed here,” a post on the ImageMagick forum states.
While a public proof of concept for the vulnerability was not immediately made available, one is coming, very soon. Tod Beardsley, security research manager at Rapid7, noted that there is a draft version for one of the ImageMagick vulnerabilities for review at the Metasploit Penetration Testing Framework open-source repository. Rapid7 is the lead commercial sponsor of the open-source Metasploit penetration testing framework.
“This was a collaboration between HD Moore, one of the original Metasploit founders, and William Vu, a Rapid7 exploit developer,” Beardsley told eWEEK. “I expect it’ll get reviewed today and made available pretty soon for Metasploit developers, and ship with Metasploit’s weekly updates next week.”
Moore recently left Rapid7 in January 2016 to start his own firm called Special Circumstances, which provides business advisory services, security research and penetration testing.
The ImageMagick flaws are quite interesting in that they appear to be a blend of type confusion and command injection bugs, Beardsley said.
“Format bugs like this tend to be client-side—a user needs to open a malicious file with a vulnerable viewer,” Beardsley said. “However, ImageMagick’s components are also used in Web application frameworks for cropping, resizing and converting images uploaded by users; so in that sense, a command injection exploit gets the attacker control over the Web server.”
While the potential impact of the ImageMagick flaws are widespread, with a formal patch on the way and simple mitigations that can be implemented by users today, the overall risk can be mitigated somewhat.
“Luckily, the mitigations appear very easy and reasonable to implement, and keeping up on the acceptable policy for user uploaded content is a good idea anyway,” Beardsley said. “Web server administrators are urged to review their use of ImageMagick components and apply the suggested mitigations.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.