ImageMagick < 7.0.8-44 Multiple vulnerabilities

high Nessus Plugin ID 124776

Language:

Synopsis

An application installed on the remote Windows host is affected by multiple vulnerability

Description

The version of ImageMagick installed on the remote Windows host is 7.x prior to 7.0.8-44. It is, therefore, affected by multiple vulnerabilities:

 - A denial of service vulnerability exists due to a failure to handle exceptional conditions. An unauthenticated, remote attacker can exploit this by convincing a user into converting a specially crafted file, to cause the system to stop responding. (CVE-2018-15607)

 - A stack-based buffer overflow condition exists in the PopHexPixel function due to a failure to handle exceptional conditions. An unauthenticated,remote attacker can exploit this, via convincing a user to open a crafted image file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2019-9956)

 - A memory leak vulnerability exists in the SVGKeyValuePairs function due to a failure to handle exceptional conditions. An unauthenticated, remote attacker can exploit this via convincing a user to open a crafted image file, to cause the application to stop responding.
 (CVE-2019-10649)

Note that the application may also be affected by additional vulnerabilities. Refer to the vendor for additional information.

Solution

Upgrade to ImageMagick version 7.0.8-44 or later. Note that you may also need to manually uninstall the vulnerable version from the system.

See Also

http://www.nessus.org/u?b866ca80

http://www.nessus.org/u?46745bf3

http://www.nessus.org/u?9ef3902f

http://www.nessus.org/u?76a32d69

http://www.nessus.org/u?614bf163

http://www.nessus.org/u?3fffdd92

Plugin Details

Severity: High

ID: 124776

File Name: imagemagick_7_0_8-44.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 5/10/2019

Updated: 10/30/2019

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2019-9956

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:imagemagick:imagemagick

Required KB Items: installed_sw/ImageMagick

Exploit Ease: No known exploits are available

Patch Publication Date: 8/21/2018

Vulnerability Publication Date: 8/21/2018

Reference Information

CVE: CVE-2018-15607, CVE-2019-9956, CVE-2019-10649, CVE-2019-10650, CVE-2019-11597, CVE-2019-11598

BID: 105137, 107546, 107645, 107646, 108102