Debian DSA-3580-1 : imagemagick - security update (ImageTragick)

high Nessus Plugin ID 91175

Synopsis

The remote Debian host is missing a security-related update.

Description

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714 ), make HTTP GET or FTP requests (CVE-2016-3718 ), or delete (CVE-2016-3715 ), move (CVE-2016-3716 ), or read (CVE-2016-3717 ) local files.

These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders.

Solution

Upgrade the imagemagick packages.

For the stable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823542

https://security-tracker.debian.org/tracker/CVE-2016-3714

https://security-tracker.debian.org/tracker/CVE-2016-3718

https://security-tracker.debian.org/tracker/CVE-2016-3715

https://security-tracker.debian.org/tracker/CVE-2016-3716

https://security-tracker.debian.org/tracker/CVE-2016-3717

https://packages.debian.org/source/jessie/imagemagick

https://www.debian.org/security/2016/dsa-3580

Plugin Details

Severity: High

ID: 91175

File Name: debian_DSA-3580.nasl

Version: 2.17

Type: local

Agent: unix

Published: 5/17/2016

Updated: 9/10/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-3714

CVSS v3

Risk Factor: High

Base Score: 8.4

Temporal Score: 8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:imagemagick

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/16/2016

CISA Known Exploited Vulnerability Due Dates: 5/3/2022, 9/30/2024

Reference Information

CVE: CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718

DSA: 3580