Attackers are actively exploiting a vulnerability in the popular open source image processing tool ImageMagick to remotely execute code on Web servers and take over websites. ImageMagick is currently working on a patch, available in the latest source code on GitHub, but it's incomplete and not yet ready for official release.
Even though fixes are not yet available, the warning advisory was necessary because because "these vulnerabilities are available to individuals other than the person(s) who discovered them," according to the advisory posted by Ryan Huber, a security engineer at Slack, on the ImageTragick website. ImageTragick refers to one of the bugs, a remote code execution flaw (CVE-2016-3714).
"An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software," Huber wrote.
The latest packages from the 6 and 7 branches, including the versions provided in Ubuntu 14.04 and OS X are all vulnerable. The fixes are expected to be available in versions 7.0.1-1 and 6.9.3-10, which are expected to be out by the weekend.
Apply the workarounds now
The vulnerabilities affect both the ImageMagick software and the library, which is supported by more than a dozen other languages, including PHP (imagick), Ruby (rmagick and paperclip), Node.js (imagemagick), and Python. Many popular content management systems, blogging sites, and social media platforms use either the image processing tool or the library to resize, crop, and otherwise tweak images uploaded by users. A large number of websites are vulnerable to attack, and Web application developers and server administrators should immediately apply workarounds to mitigate the flaws.
The first recommendation is to verify that all image files begin with the expected "magic bytes" corresponding to the file types before sending them to ImageMagick for processing. For GIF images, the first few bytes tend to start with the hex bytes "47 49 46 38," while JPEG files start with "FF D8." Check the list of magic bytes to identify other file types.
The second is to use a policy file -- the global policy.xml file is usually found in /etc/ImageMagick -- to disable vulnerable ImageMagic coders. ImageMagick provided details on policies to block possible exploits on its user forums. It's also possible to remove support for HTTPS by deleting the policy from the delegates.xml configuration file.
"We recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!" the advisory said. "[The mitigations] are effective against all of the exploit samples we've seen, but we cannot guarantee they will eliminate all vectors of attack."
Some Web applications give administrators a choice of image processing libraries. For example, MediaWiki supports both the GD library and ImageMagick. At this time, it would be a good idea to switch to GD or other supported third-party tools to handle thumbnails and other image processing tasks.
Administrators should also consider temporarily turning off image uploads on their Web applications until the patches are available and have been applied.
Web application developers can also investigate sandboxing ImageMagick, although the team did not provide any information on how to do so.
HD Moore, the creator of the Metasploit penetration testing framework, promised a public Metasploit module by Wednesday. "Because these ImageMagick vulnerabilities are being exploited today to hijack websites, getting a public Metasploit module out quickly is critically important for defenders to test their mitigation strategies," said Tod Beardsley, senior security research manager at Rapid7 and Metasploit collaborator.
Full disclosure on the heels of an exploit
The remote code execution flaw -- ImageTragick (CVE-2016-3714) -- and four other vulnerabilities in ImageMagick's image decoder were initially discovered by Nikolay Ermishkin, a security researcher for Mail.ru. Huber preempted disclosure by a few hours because the remote code execution bug was already being used in the wild. "The exploit is trivial, so we expect it to be available within hours," said Huber. Within hours of Huber's post, there has been at least one report of a proof-of-concept on Twitter and an exploit on Hacker News.
CVE-2016-3714 is a bug where filenames being passed to ImageMagick's delegates are insufficiently sanitized. "Due to insufficient %M param filtering, it is possible to conduct shell command injection," according to Ermishkin's disclosure on the oss-security mailing list. For example, delegates have a default command that uses wget to handle HTTPS requests. An attacker can pass a string with a shell-command appended to a URL, and because of insufficient filtering, the delegate winds up executing the unexpected command as well.
The severity of the issue is compounded by the fact that ImageMagick supports an extensive list of file formats including those that can refer to external files. While processing the initial file, ImageMagick would attempt to load those external references as well, which could trigger the flaw. ImageMagick's "identify" tool is also vulnerable and cannot be used to filter files.
The remaining flaws also take advantage of ImageMagick's support for including external files. The server-side request forgery vulnerability (CVE-2016-3718) lets attackers include arbitrary HTTP GET or FTP requests within the file. Attackers can trigger CVE-2016-3715 to delete files using ImageMagick's
ephemeral pseudo-protocol, CVE-2016-3716 to move image files to another arbitrary file via the
msl pseudo-protocol, and read the content of the files from the server (CVE-2016-3717) using ImageMagick's
"ImageMagick tries to guess the type of the file by its content, so exploitation doesn't depend on the file extension," the advisory said. "You can rename exploit.mvg to exploit.jpg or exploit.png to bypass file type checks."
Keep an eye on this space
"Image type confusion bugs have hit other image processors before, so we can expect that other criminal kits will have their own exploits soon," Beardsley said. Administrators should deploy the suggested mitigations, especially since exploits are already available.
The ImageMagick team is working on the updates and has promised a solution within the next few days. Fixing the software will still be a time-consuming process since all downstream packages have to be rebuilt. For example, developers will have to wait for Canonical to update Ubuntu's Python library with the new ImageMagick library before they can fix their Python applications. Update to the latest version from ImageMagick as soon as they are available and stay alert for fixes from other languages and software.