ImageMagick < 7.0.1-1 / 6.x < 6.9.3-10 Multiple Vulnerabilities (ImageTragick)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has an application installed that is affected
by multiple vulnerabilities.

Description :

The remote Windows host has a version of ImageMagick installed that is
prior to 7.0.1-1 or 6.x prior to 6.9.3-10. It is, therefore, affected
by the following vulnerabilities :

- A remote code execution vulnerability, known as
ImageTragick, exists due to a failure to properly filter
shell characters in filenames passed to delegate
commands. A remote attacker can exploit this, via
specially crafted images, to inject shell commands and
execute arbitrary code. (CVE-2016-3714)

- An unspecified flaw exists in the 'ephemeral' pseudo
protocol that allows an attacker to delete arbitrary
files. (CVE-2016-3715)

- An unspecified flaw exists in the 'ms' pseudo protocol
that allows an attacker to move arbitrary files to
arbitrary locations. (CVE-2016-3716)

- An unspecified flaw exists in the 'label' pseudo
protocol that allows an attacker, via a specially
crafted image, to read arbitrary files. (CVE-2016-3717)

- A server-side request forgery (SSRF) vulnerability
exists due to an unspecified flaw related to request
handling between a user and the server. A remote
attacker can exploit this, via an MVG file with a
specially crafted fill element, to bypass access
restrictions and conduct host-based attacks.
(CVE-2016-3718)

See also :

http://www.imagemagick.org/script/changelog.php
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
https://imagetragick.com/

Solution :

Upgrade to ImageMagick version 7.0.1-1 / 6.9.3-10 or later.

Note that you may need to manually uninstall the vulnerable version
from the system.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 90892 ()

Bugtraq ID: 89848
89849
89852
89861
89866

CVE ID: CVE-2016-3714
CVE-2016-3715
CVE-2016-3716
CVE-2016-3717
CVE-2016-3718

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now