Headline
Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility
Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure. The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022.
A
Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure.
The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022.
A brief description of the flaws is as follows -
- CVE-2022-44267 - A DoS vulnerability that arises when parsing a PNG image with a filename that’s a single dash ("-")
- CVE-2022-44268 - An information disclosure vulnerability that could be exploited to read arbitrary files from a server when parsing an image
That said, an attacker must be able to upload a malicious image to a website using ImageMagick so as to weaponize the flaws remotely. The specially crafted image, for its part, can be created by inserting a text chunk that specifies some metadata of the attacker’s choice (e.g., "-" for the filename).
“If the specified filename is '-' (a single dash), ImageMagick will try to read the content from standard input potentially leaving the process waiting forever,” the researchers said in a report shared with The Hacker News.
In the same manner, if the filename refers to an actual file located in the server (e.g., “/etc/passwd”), an image processing operation carried out on the input could potentially embed the contents of the remote file after it’s complete.
This is not the first time security vulnerabilities have been discovered in ImageMagick. In May 2016, multiple flaws were disclosed in the software, one of which, dubbed ImageTragick, could have been abused to gain remote code execution when processing user-submitted images.
A shell injection vulnerability was subsequently revealed in November 2020, wherein an attacker could insert arbitrary commands when converting encrypted PDFs to images via the "-authenticate" command line parameter.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Gentoo Linux Security Advisory 202405-2 - Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. Versions greater than or equal to 6.9.13.0 are affected.
Ubuntu Security Notice 5855-4 - USN-5855-1 fixed vulnerabilities in ImageMagick. This update provides the corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that ImageMagick incorrectly handled certain PNG images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause ImageMagick to stop responding, resulting in a denial of service, or possibly obtain the contents of arbitrary files by including them into images.
Ubuntu Security Notice 5855-2 - USN-5855-1 fixed a vulnerability in ImageMagick. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that ImageMagick incorrectly handled certain PNG images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause ImageMagick to stop responding, resulting in a denial of service, or possibly obtain the contents of arbitrary files by including them into images.
Debian Linux Security Advisory 5347-1 - Bryan Gonzalez discovered that the PNG support in Imagemagick could be tricked into embedding the content of an arbitrary file when converting an image file.
Ubuntu Security Notice 5855-1 - It was discovered that ImageMagick incorrectly handled certain PNG images. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause ImageMagick to stop responding, resulting in a denial of service, or possibly obtain the contents of arbitrary files by including them into images.
ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.