Attackers are actively exploiting a vulnerability in the popular open source image processing tool ImageMagick to remotely execute code on Web servers and take over websites. ImageMagick is currently working on a patch, available in the latest source code on GitHub, but it's incomplete and not yet ready for official release.
Even though fixes are not yet available, the warning advisory was necessary because because "these vulnerabilities are available to individuals other than the person(s) who discovered them," according to the advisory posted by Ryan Huber, a security engineer at Slack, on the ImageTragick website. ImageTragick refers to one of the bugs, a remote code execution flaw (CVE-2016-3714).
"An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software," Huber wrote.
The latest packages from the 6 and 7 branches, including the versions provided in Ubuntu 14.04 and OS X are all vulnerable. The fixes are expected to be available in versions 7.0.1-1 and 6.9.3-10, which are expected to be out by the weekend.
Apply the workarounds now
The vulnerabilities affect both the ImageMagick software and the library, which is supported by more than a dozen other languages, including PHP (imagick), Ruby (rmagick and paperclip), Node.js (imagemagick), and Python. Many popular content management systems, blogging sites, and social media platforms use either the image processing tool or the library to resize, crop, and otherwise tweak images uploaded by users. A large number of websites are vulnerable to attack, and Web application developers and server administrators should immediately apply workarounds to mitigate the flaws.
The first recommendation is to verify that all image files begin with the expected "magic bytes" corresponding to the file types before sending them to ImageMagick for processing. For GIF images, the first few bytes tend to start with the hex bytes "47 49 46 38," while JPEG files start with "FF D8." Check the list of magic bytes to identify other file types.
The second is to use a policy file -- the global policy.xml file is usually found in /etc/ImageMagick -- to disable vulnerable ImageMagic coders. ImageMagick provided details on policies to block possible exploits on its user forums. It's also possible to remove support for HTTPS by deleting the policy from the delegates.xml configuration file.
"We recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!" the advisory said. "[The mitigations] are effective against all of the exploit samples we've seen, but we cannot guarantee they will eliminate all vectors of attack."
Some Web applications give administrators a choice of image processing libraries. For example, MediaWiki supports both the GD library and ImageMagick. At this time, it would be a good idea to switch to GD or other supported third-party tools to handle thumbnails and other image processing tasks.
Sign up for CIO Asia eNewsletters.