Vulnerabilities in ImageMagick Library



A large majority of the applications running on the Web today rely on free, open-source libraries. These pieces of software are responsible for many of the features that we often take for granted. While these software suites enable developers to build web applications quickly, they can also be problematic.

When these libraries have vulnerabilities, all he servers that depend on their code become sitting ducks until a patch is made available. That’s what’s happening now with ImageMagick, which has been found to have multiple vulnerabilities.


What is ImageMagick?

ImageMagick is a commonly used library that enables applications to manipulate images in bulk. It supports a wide range of image formats (at least 200) including png, jpeg, bmp, cgm, ico, and many others. Through this library, applications can, for instance:

  • Convert images from one format to another;
  • Create thumbnails of uploaded images;
  • Reduce the number of colors in an image through color quantization or posterization;
  • Carry out dithering;
  • Resize, rotate, flip, and crop images; or
  • Generate animated GIFs out of a series of images

These are just the basics. It can also perform discrete Fourier transformations, morphology, pixel distortions, color management, and many other complex image-manipulation tasks.


Where is it used?

Because of its versatility, several major programming languages have implemented bindings for the ImageMagick library. For example, Java has JMagick, C++ has Magick++, Python has PythonMagick, PHP has IMagick, and so on.

Consequently, it has become ubiquitous and is usually the underlying code responsible for image-manipulation features in:

  • Content management systems like WordPress and Drupal (that means, over half of the blogs out there rely on it for image processing);
  • Social media sites;
  • Forums (e.g. phpBB); and
  • Wikis

Possible exploitsbad-bug

There are currently a handful of known vulnerabilities in ImageMagick. But the two most alarming are CVE-2016-3717, which allows remote attackers to read arbitrary files through a crafted image and CVE-2016-3714, which allows remote attackers to execute arbitrary code in a crafted image.

The latter, now dubbed ImageTragick, is the more serious of the two. In layman’s terms, that particular vulnerability, once successfully exploited, would allow attackers to remotely control a compromised web server.  The attackers could, for instance, gain access to all system files, spread malware, steal sensitive information, or cut the entire system off the network. In other words, they would be able to do practically anything they want to on a compromised system.

Early this month, a bug bounty hunter discovered the CVE-2016-3714 vulnerability on one of Yahoo’s domains and was awarded a $2000 bounty for it. If this security flaw managed to go unnoticed at one of the largest Internet companies in the world, how do smaller organizations fare?.

Even when the vulnerability was first discovered, security researchers already believed that it had already leaked to other individuals. And because the exploit is rather basic, the number of threat actors were expected to multiply quickly.

The developers at ImageMagick have released multiple patches, now the onus is on admins and security teams to make sure that their systems are up to date.