Page 2 of 3
Re: ImageMagick Security Issue
Posted: 2016-05-04T23:25:46-07:00
by fmw42
My suspicion is that you are still susceptible at 6.2.8 and would need to upgrade to a version that supports policy.xml and then add the new policies. The policies are just a means to restrict use of the offending files that could carry the malicious code.
But I will defer to the IM developers for a more specific answer.
Re: ImageMagick Security Issue
Posted: 2016-05-05T00:41:52-07:00
by ditto
magick wrote:>[..]
Reminder, we have patched the reported exploits in ImageMagick 7.0.1-1 and ImageMagick 6.9.3-10 available sometime tomorrow. You'll still need to add
- <policy domain="path" rights="none" pattern="@*" />
to your
policy.xml configuration file to stop any indirect reads (e.g. @somefile).
I have upgraded to ImageMagick 6.9.3-10, but this make me unsure if that is all I need to do to be safe? Or do I need to apply the polycy mentioned above?
I have run the comand mentioned some other place:
Code: Select all
[root@server ~]# identify -list resource
Resource limits:
Width: 214.7MP
Height: 214.7MP
Area: 16.377GP
Memory: 7.626GiB
Map: 15.252GiB
Disk: unlimited
File: 49151
Thread: 8
Throttle: 0
Time: unlimited
[root@server ~]#
And at the botttom of the file /usr/local/etc/ImageMagick-6/policy.xml have this content:
Code: Select all
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<!-- <policy domain="resource" name="memory" value="2GiB"/> -->
<!-- <policy domain="resource" name="map" value="4GiB"/> -->
<!-- <policy domain="resource" name="width" value="10MP"/> -->
<!-- <policy domain="resource" name="height" value="10MP"/> -->
<!-- <policy domain="resource" name="area" value="1GB"/> -->
<!-- <policy domain="resource" name="disk" value="16EB"/> -->
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>
Does this looks good? Do I need to do anything else then I have already done (I have upgraded to 6.9.3-10)? If so, is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file?
Re: ImageMagick Security Issue
Posted: 2016-05-05T08:47:37-07:00
by frEEk
>Or do I need to apply the polycy mentioned above?
As I read it, yes you need to do the update AND add that one policy line (as opposed to adding several policy lines with the unpatched version).
>is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file?
The path depends on the distribution. If you have a policy file at that location then it is almost certainly the right place. You can make sure by adding the new line, then running "convert -list policy" to see if the new policy has been consumed.
Re: ImageMagick Security Issue
Posted: 2016-05-05T09:14:03-07:00
by fmw42
running "convert -list policy"
I believe that he means
Re: ImageMagick Security Issue
Posted: 2016-05-05T10:32:54-07:00
by mtarkowski
Hi,
My companies security team has discovered the risk of web site hijacking from using ImageMagick and want me to remove it because of the following article at
http://www.theregister.co.uk/2016/05/03/imagemagick.
After checking our WordPress blog site, I see we are not using ImageMagick in binary but are using ImageMagick in .php files. Does the risk of hijacking apply when using ImageMagick in .php files?
If yes, is there a solution?
Re: ImageMagick Security Issue
Posted: 2016-05-05T10:35:49-07:00
by fmw42
I believe so. If you are using PHP exec() calls or Imagick or one of the PHP APIs, they all rely upon Imagemagick and that is where the vulnerabilities reside. However, this has been patched in the current versions of Imagemagick and there are fixes in the policy.xml file that can be added to handle earlier versions. See
viewtopic.php?f=4&t=29588
Re: ImageMagick Security Issue
Posted: 2016-05-05T11:33:50-07:00
by mtarkowski
Thank you for the response.
However, there is no policy.xml file in the WordPress sites. Also, none of the ImageMagick commands work (ex: convert -list policy) because it is not installed on the server.
I do see 2 files on the server inside a WordPress plugin; class-wp-image-editor-imagick.php and imagemagick.inc.php
Comments inside the files are :
* WordPress Imagick Image Editor
* @package WordPress
* @subpackage Image_Editor
* WordPress Image Editor Class for Image Manipulation through Imagick PHP Module
* @since 3.5.0
* @package WordPress
* @subpackage Image_Editor
* @uses WP_Image_Editor Extends class
* imagemagick.inc.php
*
* @author Frederic De Ranter
* @copyright Copyright 2008
* @version 0.4 (PHP4)
* @based on thumbnail.inc.php by Ian Selby (gen-x-design.com)
* @since NextGEN V1.0.0
do I need to create a policy.xml file? If yes, any idea where?
Re: ImageMagick Security Issue
Posted: 2016-05-05T11:38:06-07:00
by fmw42
What is your version of Imagemagick and platform?
should tell you that.
If your version is too old, then there is no policy.xml. But that needs to be very ancient.
will list your policy values on more current versions of IM.
Re: ImageMagick Security Issue
Posted: 2016-05-05T11:44:34-07:00
by mtarkowski
When I try the cnvert command I get the following.
# convert -list resource
zsh: command not found: convert
Re: ImageMagick Security Issue
Posted: 2016-05-05T11:45:45-07:00
by fmw42
Are you sure you have imagemagick installed?
Does
convert -version
work?
Re: ImageMagick Security Issue
Posted: 2016-05-05T11:46:56-07:00
by mtarkowski
Here is what I get.
# convert -version
zsh: command not found: convert
Re: ImageMagick Security Issue
Posted: 2016-05-05T13:52:50-07:00
by frEEk
fmw42 wrote:I believe that he means
That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.
Re: ImageMagick Security Issue
Posted: 2016-05-05T13:55:22-07:00
by frEEk
mtarkowski wrote:# convert -version
zsh: command not found: convert
Sounds to me like you don't use imagemagick. Just because WP has files that mention IM, doesn't mean it is in use, just that it supports it. Your WP installation may use GD or some other image manipulation library. You may get some confirmation by running "phpinfo()" (within a php script) and looking if it indicates imagick being available.
Re: ImageMagick Security Issue
Posted: 2016-05-05T14:02:56-07:00
by cpwgem
The information spread around this issue seems a bit cluttered so I need some clarifications. The vuln reporters have listed the following CVEs
* CVE-2016-3714 - Insufficient shell characters filtering leads to(potentially remote) code execution
Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats.
* CVE-2016-3718 - SSRF
It is possible to make HTTP GET or FTP request
* CVE-2016-3715 - File deletion
It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading
* CVE-2016-3716 - File moving
It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol
* CVE-2016-3717 - Local file read
It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol
------------
There appears to be a policy.xml file to disable rights for certain coders. It seems this would address CVE-2016-3715, CVE-2016-3716, and CVE-2016-3717 is this correct?
------------
A previous posting listed two commits, but from what the vuln reporters are saying the current patches are incomplete for addressing the actual issue. Is this what we're waiting over the weekend for? Are those meant to address CVE-2016-3714 and CVE-2016-3718?
-------------
Thank you ahead of time for any and all responses.
Re: ImageMagick Security Issue
Posted: 2016-05-05T14:05:45-07:00
by fmw42
frEEk wrote:fmw42 wrote:I believe that he means
That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.
I have never heard of that command. I get:
Code: Select all
convert -list policy
Path: /usr/local/etc/ImageMagick-6/policy.xml
Policy: Unrecognized
rights: None
Path: [built-in]
Policy: Undefined
rights: None