www.belgium.be Logo of the federal government

Warning - Two new ImageMagick vulnerabilities resulting in DoS and information disclosure

Reference: 
Advisory #2023-0014
Version: 
1.0
Affected software: 
ImageMagick
Type: 
DoS / Information Disclosure
CVE/CVSS: 

CVE-2022-44267

CVE-2022-44268

Sources

See references below.

Risks

An attacker needs to upload a malicious image to a website using ImageMagick, in order to exploit following vulnerabilities:

CVE-2022-44267: When ImageMagick parses a PNG image, the convert process could be left waiting for stdin input resulting in a Denial of Service state.

CVE-2022-44268: When ImageMagick parses a PNG image, the resulting image could have embedded the content of an arbitrary remote file if the ImageMagick binary has permissions to read it.

Description

ImageMagick is a free and open-source software suite for displaying, converting, and editing raster image and vector image files. It is commonly used to provide image manipulation capabilities to both web and desktop applications. The risks only apply when ImageMagick is used as a backend service for web applications such as Drupal, WordPress... 

A malicious actor could craft a PNG or use an existing one and add a textual chunk type. These textual chunk types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile.

ImageMagick is a free and open-source software suite for displaying, converting, and editing raster image and vector image files. It is commonly used to provide image manipulation capabilities to both web and desktop applications. The risks only apply when ImageMagick is used as a backend service for web applications such as Drupal, WordPress... 

A malicious actor could craft a PNG or use an existing one and add a textual chunk type. These textual chunk types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile.

CVE-2022-44267 concerns the keyword "profile" (without quotes) in combination with the text string "-" (a single dash). ImageMagick will try to read the content from standard input potentially leaving the process waiting forever.

CVE-2022-44268 concerns the keyword "profile" (without quotes) in combination with a filename such as /etc/pass-wd* as text string. If the ImageMagick binary has permissions to read the provided filename, it will import is as a raw profile. Note this attack needs to be used in combination with a file manipulation action such as resizing. After this file manipulation action on the server, the attacker can download the manipulated image which will come with the content of the remote file.

The researchers did not report exploitation in the wild for these vulnerabilities. Since the PoC has been published the Centre for Cyber Security Belgium expects this to be used for reconnaissance activity.

*Without "-".

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:

Create an inventory that includes all the software from your organisation and check per entry if ImageMagick is used. Note certain software might include a copy of ImageMagick in their installation package.

ImageMagick releases published on 06/11/2022 fix above issues. Please upgrade to

  • 6.9.12-67 or later
  • 7.1.0-52 or later

Apply security best practices and apply fine grained permissions on your servers in order to reduce your attack surface.

Upscale monitoring and detection capabilities, to detect any related suspicious activity, ensuring a fast response in case of information leakage. ImageMagick should not attempt to access system configuration files such as webserver configuration for example.

References

Vulnerability Disclosure - https://www.metabaseq.com/imagemagick-zero-days/