Vulnerability Note VU#250519
ImageMagick does not properly validate input before processing images using a delegate
ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as "ImageTragick".
CWE-20: Improper Input Validation - CVE-2016-3714
According to the researchers in a mailing list post:
ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection.
By causing a system to process an image with ImageMagick, an attacker may be able to execute arbitrary commands on a vulnerable system. A common vulnerable configuration would be a web server that allows image uploads that are subsequently processed with ImageMagick.
Exploit code for this vulnerability is publicly available, and according to the ImageTragick website, this vulnerability is already being exploited in the wild.
An unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick.
Apply an Update
Verify Files and Disable Vulnerable Filters
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Arch Linux||Affected||-||04 May 2016|
|CentOS||Affected||-||04 May 2016|
|Debian GNU/Linux||Affected||-||04 May 2016|
|Fedora Project||Affected||-||04 May 2016|
|Gentoo Linux||Affected||-||04 May 2016|
|ImageMagick||Affected||-||04 May 2016|
|openSUSE project||Affected||-||04 May 2016|
|Red Hat, Inc.||Affected||-||04 May 2016|
|Slackware Linux Inc.||Affected||-||04 May 2016|
|SUSE Linux||Affected||-||04 May 2016|
|Turbolinux||Affected||-||04 May 2016|
|Ubuntu||Affected||-||04 May 2016|
CVSS Metrics (Learn More)
The ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-3714
- Date Public: 03 May 2016
- Date First Published: 04 May 2016
- Date Last Updated: 04 May 2016
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.