Urolime Blogs

The place for DevOps, Cloud, Kubernetes News and Updates

Imagetragick
General

ImageTragick – ImageMagick Filtering Vulnerability Fix

ImageTragick – ImageMagick Filtering Vulnerability Fix

A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate’s command allows remote code execution during the conversion of several file formats.

How to Test

There are two ways we can check if the server is vulnerable:

  1. Create a test file, imagick_exploit.mvg with following content:

push graphic-context

viewbox 0 0 640 480

fill ‘url(https://example.com/image.jpg”|ls “-la)’

pop graphic-context

and execute the following command and see if it display the contents in your folder as an output of the command “ls”, if it does, then your server is vulnerable.

convert example_exploit.mvg out.png

      2.  If we run the below command before applying the patch, you will get an output as shown below:

# convert -list policy

Path: [built-in]
Policy: Undefined
rights: None

General fix for all ImageMagick installations

ImageMagick has not released a patch yet, but as a workaround, the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL and TEXT commands within image files. In the <policymap> section, add the following lines:

<policymap>

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>

Restart web services to apply the changes.

cPanel/WHM

cPanel has already released patches for this vulnerability. To apply the patch, run the autorepair script in the terminal:

# /scripts/autorepair mitigate_imagemagick_cve

You can also do that using WHM by adding “/scripts2/autofixer” to your WHM URL:

https://xxx.xxx.xxx.xxx:2087/cpsess<xxxxxx>/scripts2/autofixer

Then enter “mitigate_imagemagick_cve” under “Enter Script Name”.

If you have an older version of cPanel, you may want to manually fix this. You can do so by editing the file “/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml”, and making the following changes in the “<policymap>” section:
<policymap>

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>

If you’ve custom installed ImageMagick, the policy file would be in some other location such as “/etc/ImageMagick/policy.xml” (in RedHat systems).

Other control panels like <strong>Plesk and DirectAdmin</strong> has not yet released a patch. You can follow the custom OS fix on this.

CentOS/RedHat/AWS Linux

In AWS Linux/RHEL/CentOS 6 and 7, the file /etc/ImageMagick/policy.xml should be edited, and the following changes need to be made to the “<policymap>” section:

<policymap>

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>

In RHEL/CentOS 5, the files “mvg.so”, “msl.so”, and “label.so” need to be made inaccessible. It’s found under:

/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/  in 64 bit servers
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/  in 32 bit servers

Rename the files by:

# mv mvg.so mvg.so_bak

# mv msl.so msl.so_bak

# mv label.so label.so_bak

Ubuntu/Debian

In Ubuntu and Debian systems, the file /etc/ImageMagick/policy.xml need to be edited, and the following changes need to be made to the “<policymap>” section:

<policymap>

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>

CloudLinux

In CloudLinux servers that has CageFS enabled, a copy of the policy file may be present in each individual’s environment. So, follow the below steps to force all accounts to reload the new ImageMagick policy file:

Edit the files:

/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
/opt/cloudlinux/lib/ImageMagick-6.5.4/config/policy.xml
/etc/ImageMagick/policy.xml

Make the following changes in <policymap> section.

<policymap>

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”HTTP” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”FTP” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”LABEL” />
</policymap>

Then reload CageFS using:

cagefsctl –force-update

How do I verify

To Make sure the patching is applied you can run the below command and the result will looks like:

# convert -list policy

Path: [built-in]
Policy: Undefined
rights: None

Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: HTTP
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: FTP
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: LABEL
Policy: Path
rights: None
pattern: @*

If you need any support to patch your servers, please don’t hesitate to contact our support.

References:

https://access.redhat.com/security/vulnerabilities/2296071

Share on Facebook
Tweet
Follow us
Urolime Technologies has made groundbreaking accomplishments in the field of Google Cloud & Kubernetes Consulting, DevOps Services, 24/7 Managed Services & Support, Dedicated IT Team, Managed AWS Consulting and Azure Cloud Consulting. We believe our customers are Smart to choose their IT Partner, and we “Do IT Smart”.
Website https://www.urolime.com/
Posts created 469

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Enjoy this blog? Please spread the word :)

Follow by Email
Facebook
Facebook
fb-share-icon
Twitter
Visit Us
Follow Me
Tweet
LinkedIn
Share
Instagram