ImageMagick is a popular software used to convert, edit and manipulate images. It has libraries for all common programming languages, including PHP, Python, Ruby and many others. It is also very simple to use, which lead it to be used by many developers when in need of image cropping or manipulation.
However, the latest versions of ImageMagick doesn’t properly filter the file names that get passed to the internal delegates that handle external protocols (like HTTPS). This allows an attacker to execute his own commands remotely by uploading an image. This leads to a full RCE (remote command execution) vulnerability in your image uploader. The vulnerability is so serious that researchers created a fun nick name for it which is easier to remember than just CVE-2016-3714
Users behind our WAF are already protected against this vulnerability, but we still recommend everyone to follow the ImageMagick developers recommendation and edit the /etc/ImageMagick/policy.xml file and disable the processing of MVG, HTTPS, EPHEMERAL, and MSL commands within image files. In the section, add the following lines:
<policymap>
…
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
<policy domain=”path” rights=”none” pattern=”@*” />
</policymap>
Shutdown all web services and restart to apply the changes.
ImageMagick released an update on 2016-05-03 on version 6.7.2.7 to fix this issue; however, there are questions around whether this update provides a complete fix. At the time of writing it should be presumed version 6.9.3-10 does not fix the issues completely and you should take steps to patch the issue via the policy.xml file.
To update ImageMagick , Run :
# yum update ImageMagick
# rpm -q --changelog ImageMagick | grep CVE-2016-3714
- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716 and CVE-2016-3717# convert -version
Version: ImageMagick 6.7.2-7 2016-05-09 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2011 ImageMagick Studio LLC
Features: OpenMP # rpm -q -i ImageMagick
Name : ImageMagick Relocations: (not relocatable)
Version : 6.7.2.7 Vendor: CentOS
Release : 4.el6_7 Build Date: Mon 09 May 2016 05:31:27 PM UTC
Install Date: Tue 10 May 2016 04:41:56 PM UTC Build Host: c6b8.bsys.dev.centos.org
Group : Applications/Multimedia Source RPM: ImageMagick-6.7.2.7-4.el6_7.src.rpm
Size : 7322039 License: ImageMagick
Signature : RSA/SHA1, Mon 09 May 2016 05:34:35 PM UTC, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <http://bugs.centos.org>
URL : http://www.imagemagick.org/
Summary : An X application for displaying and manipulating imagesFix for cPanel/WHM : cPanel has already released patches for this vulnerability.
To apply the patch, run the autorepair script in the terminal:
# /scripts/autorepair mitigate_imagemagick_cve
Requesting script ... info [autorepair] Successfully verified signature for cpanel (key types: release).
Done
Auto Repair is running......Auto Repair is done.To confirm , Run :
# rpm -q --changelog ImageMagick | grep CVE-2016-3714
- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716 and CVE-2016-3717If you have an older version of cPanel, you may want to manually fix this. You can do so by editing the file “/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml“, and making the following changes in the “” section:
<policymap> ... <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="LABEL" /> <policy domain="path" rights="none" pattern="@*" /> </policymap>
Cloudlinux :
You need to edit the follow files to patch CloudLinux servers that has CageFS enabled ,
/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml /opt/cloudlinux/lib/ImageMagick-6.5.4/config/policy.xml /etc/ImageMagick/policy.xml
Make the following changes in section.
<policymap> ... <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="LABEL" /> <policy domain="path" rights="none" pattern="@*" /> </policymap>
Then force update CageFS using:
# cagefsctl --force-update
