Debian DSA-3580-1 : imagemagick - security update (ImageTragick)

Critical Nessus Plugin ID 91175

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9.4

Synopsis

The remote Debian host is missing a security-related update.

Description

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714 ), make HTTP GET or FTP requests (CVE-2016-3718 ), or delete (CVE-2016-3715 ), move (CVE-2016-3716 ), or read (CVE-2016-3717 ) local files.

These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders.

Solution

Upgrade the imagemagick packages.

For the stable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823542

https://security-tracker.debian.org/tracker/CVE-2016-3714

https://security-tracker.debian.org/tracker/CVE-2016-3718

https://security-tracker.debian.org/tracker/CVE-2016-3715

https://security-tracker.debian.org/tracker/CVE-2016-3716

https://security-tracker.debian.org/tracker/CVE-2016-3717

https://packages.debian.org/source/jessie/imagemagick

https://www.debian.org/security/2016/dsa-3580

Plugin Details

Severity: Critical

ID: 91175

File Name: debian_DSA-3580.nasl

Version: 2.12

Type: local

Agent: unix

Published: 2016/05/17

Updated: 2020/09/23

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 9.4

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 8.4

Temporal Score: 8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:imagemagick, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/05/16

Reference Information

CVE: CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718

DSA: 3580