ImageMagick Vulnerabilities and Exploits

On Tuesday, the ImageMagick project posted a vulnerability disclosure notification on their official project forum regarding a vulnerability present in some of its coders. The post details a mitigation strategy that seems effective, based on creating a more restricted policy.xml that governs resource usage by ImageMagick components.

Essentially, the ImageMagick vulnerabilities are a combination of a type of confusion vulnerability (where the ImageMagick components do not correctly identify a file format) and a command injection vulnerability (where the filtering mechanisms for guarding against shell escapes are insufficient).

How worried should I be?

The reason for the public disclosure in the first place is due to the vulnerabilities being exploited already by unknown actors, as reported by Ryan Huber. As predicted by him, published exploits by security researchers targeting the affected components are emerging in short order, including a Metasploit module authored by William Vu and HD Moore.

As reported by Dan Goodin, ImageMagick components are common in several web application frameworks, so the threat is fairly serious for any web site operator that is using one of those affected technologies. Since ImageMagick is a component used in several stacks, patches are not universally available yet.

What's next?

Website operators should immediately determine their use of ImageMagick components in image processing, and implement the referenced policy.xml mitigation while awaiting an updated package that fixes the identified vulnerabilities. Restricting file formats accepted by ImageMagick to just the few that are actually needed, such as PNG, JPG, and GIF, is always a good strategy for those sites where it makes sense to do so. ImageMagick parses hundreds of file formats, which is part of its usefulness.

Are any Rapid7 products affected?

No Rapid7 products are affected by this vulnerability.