Just a moment...

How to fix the Imagemagick vulnerability and check if you’re at risk


ImageMagick is a one of the most popular image processing libraries for resizing, cropping and  editing uploaded images.   Websites with profile pictures and avatars commonly use ImageMagick to resize these uploads.

Researchers found a serious vulnerability documented in CVE-2016-3714, affectionately dubbed “ImageTragick” that can allow hackers to execute code on your site remotely.

In basic terms, hackers upload an image with malicious embedded code, which calls ImageMagick to begin processing an image.  This can cause the code to run on your server with elevated user permissions.  At that point, the hacker can take total control of the server, and what’s worse, this exploit is relatively easy to use.

Here’s how to protect yourself.  First, find out if you’re vulnerable, and then fix the ImageMagick exploit. If your website accepts user image uploads of any kind, this should be a high priority.

Check for the vulnerability

If your site processes images and uses PHP, Ruby, or Node.js, there’s a good chance you use ImageMagick or a plugin based on it.

Here’s how to test if your site is at risk:

Create a new text file and save it with the name test.mvg.  Add the following lines of text into it:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg" | ls "-la)'
pop graphic-context

Upload it to the server and from the command line (ssh),  run

convert test.mvg out.png

If this shows the content of your directory as though you just ran ls -la, you’re affected.  For more information on testing, see the RedHat page on CVE-2016-3714, and the ImageTragick Team has additional tests.

Fix the vulnerability

Red Hat Enterprise Linux and CentOS 6 and 7 already have patches available to fix this issue.  Update your system with yum update imagemagick to fix this vulnerability.  There are more details on the RHEL site.

For RHEL and CentOS 5, you will need to make some changes to mitigate the problem:

In the following folders:
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit)
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package)3:15]
Rename the following files, mvg.so, msl.so, label.so. Example:[3:15]
$ mv mvg.so mvg.so.bak
$ mv msl.so msl.so.bak
$ mv label.so label.so.bak

So far, the number of attacks using this vulnerability are limited, but if left unmitigated, it represents a serious risk to websites using the ImageMagick package.  We advise all site owners and developers to take care and ensure that they’ve taken steps to cut off this avenue of attack.


Read This Next:

Just a moment...
Just a moment...