ID CVE-2016-3717
Summary The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux HPC Node 6.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0
  • RedHat Enterprise Linux HPC Node 7.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0
  • Red Hat Enterprise Linux HPC Node EUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server AUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2
  • Red Hat Enterprise Linux Server EUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2
  • Red Hat Enterprise Linux Server Supplementary EUS 6.7z
    cpe:2.3:o:redhat:enterprise_linux_server_supplementary_eus:6.7z
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • ImageMagick 6.9.3-9
    cpe:2.3:a:imagemagick:imagemagick:6.9.3-9
  • ImageMagick 7.0.0-0
    cpe:2.3:a:imagemagick:imagemagick:7.0.0-0
  • ImageMagick 7.0.1-0
    cpe:2.3:a:imagemagick:imagemagick:7.0.1-0
CVSS
Base: 7.1 (as of 19-08-2016 - 10:43)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE NONE NONE
exploit-db via4
description ImageMagick - Multiple Vulnerabilities. CVE-2016-3714,CVE-2016-3715,CVE-2016-3716,CVE-2016-3717,CVE-2016-3718. Dos exploits for multiple platform
file exploits/multiple/dos/39767.txt
id EDB-ID:39767
last seen 2016-05-04
modified 2016-05-04
platform multiple
port
published 2016-05-04
reporter Nikolay Ermishkin
source https://www.exploit-db.com/download/39767/
title ImageMagick < 6.9.3-9 - Multiple Vulnerabilities
type dos
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201611-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-201611-21 (ImageMagick: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in ImageMagick. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 95420
    published 2016-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95420
    title GLSA-201611-21 : ImageMagick: Multiple vulnerabilities (ImageTragick)
  • NASL family CGI abuses
    NASL id WORDPRESS_4_5_2.NASL
    description According to its self-reported version number, the WordPress application running on the remote web server is 4.5.x prior to 4.5.2. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability, known as ImageTragick, exists in the ImageMagick library due to a failure to properly filter shell characters in filenames passed to delegate commands. A remote attacker can exploit this, via specially crafted images, to inject shell commands and execute arbitrary code. (CVE-2016-3714) - An unspecified flaw exists in the ImageMagick library in the 'ephemeral' pseudo protocol that allows an attacker to delete arbitrary files. (CVE-2016-3715) - An unspecified flaw exists in the ImageMagick library in the 'ms' pseudo protocol that allows an attacker to move arbitrary files to arbitrary locations. (CVE-2016-3716) - An unspecified flaw exists in the ImageMagick library in the 'label' pseudo protocol that allows an attacker, via a specially crafted image, to read arbitrary files. (CVE-2016-3717) - A server-side request forgery (SSRF) vulnerability exists due to an unspecified flaw related to request handling between a user and the server. A remote attacker can exploit this, via an MVG file with a specially crafted fill element, to bypass access restrictions and conduct host-based attacks. (CVE-2016-3718) - An unspecified flaw exists in Plupload that allows an attacker to perform a same-origin method execution. (CVE-2016-4566) - A reflected cross-site scripting vulnerability exists in MediaElement.js due to improper validation of user-supplied input. A context-dependent attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-4567) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 91101
    published 2016-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91101
    title WordPress 4.5.x < 4.5.2 Multiple Vulnerabilities (ImageTragick)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-484.NASL
    description Several security vulnerabilities were discovered in graphicsmagick a tool to manipulate image files. GraphicsMagick is a fork of ImageMagick and also affected by vulnerabilities collectively known as ImageTragick, that are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files. To address these concerns the following changes have been made : 1. Remove automatic detection/execution of MVG based on file header or file extension. 2. Remove the ability to cause an input file to be deleted based on a filename specification. 3. Improve the safety of delegates.mgk by removing gnuplot support, removing manual page support, and by adding -dSAFER to all ghostscript invocations. 4. Sanity check the MVG image primitive filename argument to assure that 'magick:' prefix strings will not be interpreted. Please note that this patch will break intentional uses of magick prefix strings in MVG and so some MVG scripts may fail. We will search for a more flexible solution. In addition the following issues have been fixed : CVE-2015-8808 Assure that GIF decoder does not use unitialized data and cause an out-of-bound read. CVE-2016-2317 and CVE-2016-2318 Vulnerabilities that allow to read or write outside memory bounds (heap, stack) as well as some NULL pointer derreferences to cause a denial of service when parsing SVG files. For Debian 7 'Wheezy', these problems have been fixed in version 1.3.16-1.1+deb7u1. We recommend that you upgrade your graphicsmagick packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 91299
    published 2016-05-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91299
    title Debian DLA-484-1 : graphicsmagick security update (ImageTragick)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1401.NASL
    description Various security issues were discovered in Graphicsmagick, a collection of image processing tools. Heap-based buffer overflows or overreads may lead to a denial of service or disclosure of in-memory information or other unspecified impact by processing a malformed image file. For Debian 8 'Jessie', these problems have been fixed in version 1.3.20-3+deb8u3. We recommend that you upgrade your graphicsmagick packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 110727
    published 2018-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110727
    title Debian DLA-1401-1 : graphicsmagick security update
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL29154575.NASL
    description The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. (CVE-2016-3717) Note : This vulnerability is one of the series of vulnerabilities known as ImageTragick.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 91143
    published 2016-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91143
    title F5 Networks BIG-IP : ImageMagick vulnerability (K29154575)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2990-1.NASL
    description Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly sanitized untrusted input. A remote attacker could use these issues to execute arbitrary code. These issues are known as 'ImageTragick'. This update disables problematic coders via the /etc/ImageMagick-6/policy.xml configuration file. In certain environments the coders may need to be manually re-enabled after making sure that ImageMagick does not process untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718) Bob Friesenhahn discovered that ImageMagick allowed injecting commands via an image file or filename. A remote attacker could use this issue to execute arbitrary code. (CVE-2016-5118). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91450
    published 2016-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91450
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : imagemagick vulnerabilities (USN-2990-1) (ImageTragick)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-602.NASL
    description This update for GraphicsMagick fixes the following issues : Security issues fixed : - Multiple security issues in GraphicsMagick/ImageMagick [boo#978061] (CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3717)
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 91272
    published 2016-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91272
    title openSUSE Security Update : GraphicsMagick (openSUSE-2016-602) (ImageTragick)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-574.NASL
    description This update for ImageMagick fixes the following issues : Security issues fixed : - Several coders were vulnerable to remote code execution attacks, these coders have now been disabled by default but can be re-enabled by editing '/etc/ImageMagick-*/policy.xml' (bsc#978061) - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading. - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder. - CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. Bugs fixed : - Use external svg loader (rsvg) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 90986
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90986
    title openSUSE Security Update : ImageMagick (openSUSE-2016-574) (ImageTragick)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-569.NASL
    description This update for ImageMagick fixes the following issues : The update disables various insecure coders [boo#978061] These fix issues tracked in CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 90981
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90981
    title openSUSE Security Update : ImageMagick (openSUSE-2016-569) (ImageTragick)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0726.NASL
    description From Red Hat Security Advisory 2016:0726 : An update for ImageMagick is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix(es) : * It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714) * It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717) * A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91032
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91032
    title Oracle Linux 6 / 7 : ImageMagick (ELSA-2016-0726) (ImageTragick)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0726.NASL
    description An update for ImageMagick is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix(es) : * It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714) * It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717) * A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91036
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91036
    title RHEL 6 / 7 : ImageMagick (RHSA-2016:0726) (ImageTragick)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-486.NASL
    description Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files. These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service. The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and PLT) and indirect reads via /etc/ImageMagick/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders. For the wheezy, these problems have been fixed in version 8:6.7.7.10-5+deb7u5. We recommend that you upgrade your imagemagick packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 91287
    published 2016-05-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91287
    title Debian DLA-486-1 : imagemagick security update (ImageTragick)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3580.NASL
    description Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714 ), make HTTP GET or FTP requests (CVE-2016-3718 ), or delete (CVE-2016-3715 ), move (CVE-2016-3716 ), or read (CVE-2016-3717 ) local files. These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service. The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91175
    published 2016-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91175
    title Debian DSA-3580-1 : imagemagick - security update (ImageTragick)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-132-01.NASL
    description New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues.
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 91046
    published 2016-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91046
    title Slackware 14.0 / 14.1 / current : mozilla-thunderbird (SSA:2016-132-01) (ImageTragick)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0726.NASL
    description An update for ImageMagick is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Security Fix(es) : * It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714) * It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717) * A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91020
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91020
    title CentOS 6 / 7 : ImageMagick (CESA-2016:0726) (ImageTragick)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1275-1.NASL
    description This update for ImageMagick fixes the following issues : Security issues fixed : - Several coders were vulnerable to remote code execution attacks, these coders have now been disabled. They can be re-enabled by exporting the following environment variable MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/mo dules-Q16/coders/vu lnerable/ (bsc#978061) - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading. - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder. - CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. Bugs fixed : - Use external svg loader (rsvg) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91119
    published 2016-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91119
    title SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2016:1275-1) (ImageTragick)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_0D724B05687F45279C03AF34D3B094EC.NASL
    description Openwall reports : Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. Any service which uses ImageMagick to process user-supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue. It is possible to make ImageMagick perform a HTTP GET or FTP request It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading. It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and image.gif should exist in known location - /tmp/ for PoC (in real life it may be web service written in PHP, which allows to upload raw txt files and process images with ImageMagick). It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 90979
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90979
    title FreeBSD : ImageMagick -- multiple vulnerabilities (0d724b05-687f-4527-9c03-af34d3b094ec) (ImageTragick)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1260-1.NASL
    description This update for ImageMagick fixes the following issues : Security issues fixed : - Several coders were vulnerable to remote code execution attacks, these coders have now been disabled by default but can be re-enabled by editing '/etc/ImageMagick-*/policy.xml' (bsc#978061) - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading. - CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder. - CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. Bugs fixed : - Use external svg loader (rsvg) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90996
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90996
    title SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2016:1260-1) (ImageTragick)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-699.NASL
    description It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714) It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files. (CVE-2016-3715 , CVE-2016-3716 , CVE-2016-3717) A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 91047
    published 2016-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91047
    title Amazon Linux AMI : ImageMagick (ALAS-2016-699) (ImageTragick)
  • NASL family Windows
    NASL id IMAGEMAGICK_7_0_1_1.NASL
    description The remote Windows host has a version of ImageMagick installed that is prior to 7.0.1-1 or 6.x prior to 6.9.3-10. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability, known as ImageTragick, exists due to a failure to properly filter shell characters in filenames passed to delegate commands. A remote attacker can exploit this, via specially crafted images, to inject shell commands and execute arbitrary code. (CVE-2016-3714) - An unspecified flaw exists in the 'ephemeral' pseudo protocol that allows an attacker to delete arbitrary files. (CVE-2016-3715) - An unspecified flaw exists in the 'ms' pseudo protocol that allows an attacker to move arbitrary files to arbitrary locations. (CVE-2016-3716) - An unspecified flaw exists in the 'label' pseudo protocol that allows an attacker, via a specially crafted image, to read arbitrary files. (CVE-2016-3717) - A server-side request forgery (SSRF) vulnerability exists due to an unspecified flaw related to request handling between a user and the server. A remote attacker can exploit this, via an MVG file with a specially crafted fill element, to bypass access restrictions and conduct host-based attacks. (CVE-2016-3718)
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 90892
    published 2016-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90892
    title ImageMagick < 7.0.1-1 / 6.x < 6.9.3-10 Multiple Vulnerabilities (ImageTragick)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1021.NASL
    description According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.(CVE-2016-3714) - It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717) - A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99784
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99784
    title EulerOS 2.0 SP1 : ImageMagick (EulerOS-SA-2016-1021)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160509_IMAGEMAGICK_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. (CVE-2016-3714) - It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files. (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717) - A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. (CVE-2016-3718) Note: This update contains an updated /etc/ImageMagick/policy.xml file that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and LABEL coders. If you experience any problems after the update, it may be necessary to manually adjust the policy.xml file to match your requirements. Please take additional precautions to ensure that your applications using the ImageMagick library do not process malicious or untrusted files before doing so.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 91039
    published 2016-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91039
    title Scientific Linux Security Update : ImageMagick on SL6.x, SL7.x i386/x86_64 (ImageTragick)
redhat via4
advisories
rhsa
id RHSA-2016:0726
rpms
  • ImageMagick-0:6.7.2.7-4.el6_7
  • ImageMagick-c++-0:6.7.2.7-4.el6_7
  • ImageMagick-c++-devel-0:6.7.2.7-4.el6_7
  • ImageMagick-devel-0:6.7.2.7-4.el6_7
  • ImageMagick-doc-0:6.7.2.7-4.el6_7
  • ImageMagick-perl-0:6.7.2.7-4.el6_7
  • ImageMagick-0:6.7.8.9-13.el7_2
  • ImageMagick-c++-0:6.7.8.9-13.el7_2
  • ImageMagick-c++-devel-0:6.7.8.9-13.el7_2
  • ImageMagick-devel-0:6.7.8.9-13.el7_2
  • ImageMagick-doc-0:6.7.8.9-13.el7_2
  • ImageMagick-perl-0:6.7.8.9-13.el7_2
refmap via4
bugtraq 20160513 May 2016 - HipChat Server - Critical Security Advisory
confirm
debian DSA-3580
exploit-db 39767
gentoo GLSA-201611-21
mlist
  • [debian-lts-announce] 20180627 [SECURITY] [DLA 1401-1] graphicsmagick security update
  • [oss-security] 20160504 Re: ImageMagick Is On Fire -- CVE-2016-3714
slackware SSA:2016-132-01
suse
  • SUSE-SU-2016:1260
  • SUSE-SU-2016:1275
  • openSUSE-SU-2016:1261
  • openSUSE-SU-2016:1266
  • openSUSE-SU-2016:1326
ubuntu USN-2990-1
Last major update 30-11-2016 - 22:10
Published 05-05-2016 - 14:59
Last modified 09-10-2018 - 16:00
Back to Top