ALERT: Take action to mitigate ImageMagick vulnerabilities
Wednesday, May 4, 2016
This message is intended for U-M IT staff who are responsible for university servers and applications that use ImageMagick. ImageMagick is free image-manipulation software that can be used by applications, such as content management systems, to convert or modify images. It was sent to IT staff groups through email May 4, 2016.
There are multiple vulnerabilities in ImageMagick, a software suite commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution if a server or application processes user submitted images. The exploit for this vulnerability has been made publicly available and is being used in the wild.
A system or application is vulnerable to exploitation of these vulnerabilities if it uses ImageMagick to process submitted images. Examples may include web content management systems that allow image uploads or other web applications that can process uploaded image files.
Please note that while many web content management systems such as WordPress, Drupal, and Joomla can use ImageMagick to process images, the default configurations frequently use other image processing libraries such as GD2. Systems and applications that use GD2 and don’t use ImageMagick to process uploaded images are not vulnerable to direct attacks.
Attention Web Developers: There are multiple interfaces to ImageMagick, including G2F (Ada), MagickCore (C), MagickWand (C), ChMagick (Ch), ImageMagickObject (COM+), Magick++ (C++), JMagick (Java), L-Magick (Lisp), Lua (LuaJIT), NMagick (Neko/haXe), Magick.NET (.NET), PascalMagick (Pascal), PerlMagick (Perl), MagickWand for PHP (PHP), IMagick (PHP), PythonMagick (Python), RMagick (Ruby), or TclMagick (Tcl/TK). Any application or plugin that uses these interfaces may be vulnerable.
If you manage a server or web application that uses ImageMagick or an affected library, mitigate the known vulnerabilities by doing the following two things.
- Developers should verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them to ImageMagick for processing. This advice primarily applies to developers who are responsible for writing or maintaining the code for web applications.
- System/application managers should use a policy file to disable the vulnerable ImageMagick components. The global policy for ImageMagick is usually found in “/etc/ImageMagick.”
For details, see the ImageTragick website.
If you suspect, but are not sure whether, a system or application you manage is vulnerable to attack, implement the second recommendation as a precaution as soon as possible.
Whenever vendors make critical security updates available, apply them as soon as possible after appropriate testing.
Exploitation of these vulnerabilities to execute arbitrary code on vulnerable systems is relatively easy and exploit examples are publicly available. Reports indicate that exploitation in the wild is already occurring and more widespread exploitation is expected to increase quickly.
Technical details including exploit code have been shared publicly in several places such as on the Open Source Software Security mailing list.
Check /etc/ImageMagick/policy.xml to ensure that the recommended lines exist in order to disable the vulnerable ImageMagick components. Systems that do not disable the vulnerable ImageMagick coders using a policy file may be vulnerable to attack.
Information for Users
This does not directly affect users. It directly affects servers only. MiWorkspace machines are not affected.
Questions, Concerns, Reports
Please contact email@example.com.
- ImageMagick Security Issue (ImageMagick, 5/3/16)
- ImageTragick: ImageMagick Is On Fire?—?CVE-2016–3714
- Huge number of sites imperiled by critical image-processing vulnerability (Ars Technica, 5/3/16)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 (Open Source Software Security mailing list, 5/4/16)
- Critical flaws in ImageMagick library expose millions of websites to hacking (PC World, 5/4/16)