ImageMagick, a near-ubiquitous image processing library, has once again been discovered to harbor a serious vulnerability with the potential to leak sensitive data to an attacker. The vulnerability was patched a couple of months ago, but full details only became available this month. Although the vulnerability is quite difficult to exploit in most scenarios, it’s advisable for all users of ImageMagick and applications that depend on ImageMagick to update to the most recent version. The best way to mitigate the risk is to update to your Linux distribution’s most recent release, as most distributions, including CentOS, have applied the patch.
ImageMagick is everywhere. Even if you don’t knowingly make use of the image processing library, it’s a near certainty that your content management system or eCommerce application does, so it’s worth investigating whether applications you depend on use ImageMagick under the hood.
This is not the first time ImageMagick has been responsible for a serious vulnerability. Last year’s ImageTragick vulnerability was similarly implicated in the leaking of sensitive data, although the mechanism of this attack is somewhat different.
Discovered by security researcher Chris Evans, the vulnerability takes advantage of an uninitialized memory bug in ImageMagick. Evans contributed a one-line fix to the ImageMagick project, which solved the problem. One of the most serious consequences of this bug is the so-called YahooBleed attack. Evans demonstrated how the flaw could be used to exfiltrate potentially sensitive information — private email attachments — from Yahoo! Mail servers. It’s not the first time Yahoo! has been affected by problems in ImageMagick, and the company decided to retire the library altogether, a choice applauded by Evans.
You can read the full details of the attack here, but the nutshell version is that Evans was able to send a tiny 18-byte exploit file as an email attachment to his own email account. When the mail was received, the JPEG attachment in the email contained data from uninitialized or previously freed memory.
It’s worth noting that this vulnerability can only be exploited in specific circumstances. Most uses of ImageMagick are short-lived: the ImageMagick binary is used to process an image and then stopped, so the only data likely to be available to an attacker is their own. But for some reason, Yahoo!’s thumbnail handling ImageMagick process was long-lived, which means an attacker could have access to the data of many different users.
GraphicsMagick, a fork of the ImageMagick project, had patched this particular vulnerability in March of 2016, although it’s not generally safe to assume that GraphicsMagick is more secure than ImageMagick. The projects don’t seem to coordinate their bug-fixes and it’s often the case that bugs are fixed in one but not the other.
Although this bug is hard to exploit in the wild and only exploitable in a limited number of circumstances, unless you understand exactly how ImageMagick is being used on your servers, it’s best to update.