ImageMagick < 7.0.8-44 Multiple vulnerabilities

high Nessus Plugin ID 124776

Synopsis

An application installed on the remote Windows host is affected by multiple vulnerabilities

Description

The version of ImageMagick installed on the remote Windows host is 7.x prior to 7.0.8-44. It is, therefore, affected by multiple vulnerabilities:

- A denial of service vulnerability exists due to a failure to handle exceptional conditions. An unauthenticated, remote attacker can exploit this by convincing a user into converting a specially crafted file, to cause the system to stop responding. (CVE-2018-15607)

- A stack-based buffer overflow condition exists in the PopHexPixel function due to a failure to handle exceptional conditions. An unauthenticated,remote attacker can exploit this, via convincing a user to open a crafted image file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-9956)

- A memory leak vulnerability exists in the SVGKeyValuePairs function due to a failure to handle exceptional conditions. An unauthenticated, remote attacker can exploit this via convincing a user to open a crafted image file, to cause the application to stop responding.
(CVE-2019-10649)

Note that the application may also be affected by additional vulnerabilities. Refer to the vendor for additional information.

Solution

Upgrade to ImageMagick version 7.0.8-44 or later. Note that you may also need to manually uninstall the vulnerable version from the system.

See Also

http://www.nessus.org/u?b866ca80

http://www.nessus.org/u?46745bf3

http://www.nessus.org/u?9ef3902f

http://www.nessus.org/u?76a32d69

http://www.nessus.org/u?614bf163

http://www.nessus.org/u?3fffdd92

Plugin Details

Severity: High

ID: 124776

File Name: imagemagick_7_0_8-44.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 5/10/2019

Updated: 6/4/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9956

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:imagemagick:imagemagick

Required KB Items: installed_sw/ImageMagick

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/21/2018

Vulnerability Publication Date: 8/21/2018

Reference Information

CVE: CVE-2018-15607, CVE-2019-10649, CVE-2019-10650, CVE-2019-11597, CVE-2019-11598, CVE-2019-9956

BID: 105137, 107546, 107645, 107646, 108102