ImageTragick – ImageMagick Filtering Vulnerability Fix
A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate’s command allows remote code execution during the conversion of several file formats.
How to Test
There are two ways we can check if the server is vulnerable:
- Create a test file, imagick_exploit.mvg with following content:
push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg”|ls “-la)’
pop graphic-context
and execute the following command and see if it display the contents in your folder as an output of the command “ls”, if it does, then your server is vulnerable.
# convert example_exploit.mvg out.png
2. If we run the below command before applying the patch, you will get an output as shown below:
# convert -list policy
Path: [built-in]
Policy: Undefined
rights: None
General fix for all ImageMagick installations
ImageMagick has not released a patch yet, but as a workaround, the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL and TEXT commands within image files. In the <policymap> section, add the following lines:
<policymap>
…
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>
Restart web services to apply the changes.
cPanel/WHM
cPanel has already released patches for this vulnerability. To apply the patch, run the autorepair script in the terminal:
# /scripts/autorepair mitigate_imagemagick_cve
You can also do that using WHM by adding “/scripts2/autofixer” to your WHM URL:
https://xxx.xxx.xxx.xxx:2087/cpsess<xxxxxx>/scripts2/autofixer
Then enter “mitigate_imagemagick_cve” under “Enter Script Name”.
If you have an older version of cPanel, you may want to manually fix this. You can do so by editing the file “/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml”, and making the following changes in the “<policymap>” section:
<policymap>
…
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>
If you’ve custom installed ImageMagick, the policy file would be in some other location such as “/etc/ImageMagick/policy.xml” (in RedHat systems).
Other control panels like <strong>Plesk and DirectAdmin</strong> has not yet released a patch. You can follow the custom OS fix on this.
CentOS/RedHat/AWS Linux
In AWS Linux/RHEL/CentOS 6 and 7, the file /etc/ImageMagick/policy.xml should be edited, and the following changes need to be made to the “<policymap>” section:
<policymap>
…
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>
In RHEL/CentOS 5, the files “mvg.so”, “msl.so”, and “label.so” need to be made inaccessible. It’s found under:
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ in 64 bit servers
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ in 32 bit servers
Rename the files by:
# mv mvg.so mvg.so_bak
# mv msl.so msl.so_bak
# mv label.so label.so_bak
Ubuntu/Debian
In Ubuntu and Debian systems, the file /etc/ImageMagick/policy.xml need to be edited, and the following changes need to be made to the “<policymap>” section:
<policymap>
…
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>
CloudLinux
In CloudLinux servers that has CageFS enabled, a copy of the policy file may be present in each individual’s environment. So, follow the below steps to force all accounts to reload the new ImageMagick policy file:
Edit the files:
/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
/opt/cloudlinux/lib/ImageMagick-6.5.4/config/policy.xml
/etc/ImageMagick/policy.xml
Make the following changes in <policymap> section.
<policymap>
…
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>
Then reload CageFS using:
cagefsctl –force-update
How do I verify
To Make sure the patching is applied you can run the below command and the result will looks like:
# convert -list policy
Path: [built-in]
Policy: Undefined
rights: NonePath: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: HTTP
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: FTP
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: LABEL
Policy: Path
rights: None
pattern: @*
If you need any support to patch your servers, please don’t hesitate to contact our support.
References:
https://access.redhat.com/security/vulnerabilities/2296071