If you own a web service that requires image processing, you might have heard of ImageMagick. It comes as a free and open source solution to let you display, edit and vector image files directly on your web service. Although many developers previously preferred ImageMagick over other products in the market, it has now been criticised due to a major vulnerability.
It’s all about CVE-2016-3714
The vulnerability, which is indexed as CVE-2016-3714, emerged last week. It lays within the latest version of ImageMagick suite and allows attackers to execute their commands remotely by uploading an image. Researchers at security company Sucuri are already developing a “workable proof of concept” to patch the security hole. However, the vulnerability is still exploitable.
“The vulnerability is very simple to exploit, an attacker only needs an image uploader tool that leverages ImageMagick,” Sucuri founder and CTO Daniel Cid writes in a blog post.
‘Many popular web applications and SaaS’ are affected
Cid hasn’t revealed any name but confirms that “many popular web applications” and SaaS (Software-as-a-Service) products are vulnerable to the new exploit. A new website and a Twitter account have been created under the fictitious name of ImageTragick to make people aware of the vulnerability.
Security researcher and winner of some bug bounty programmes Stewie and Mail.ru security engineer Nikolay Ermishkin found the bugs that are resulting the exploit. The ImageMagick team acknowledged their existence.
“We have recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system. The ImageMagick policy was developed many years ago to help prevent possible exploits,” the team wrote in a forum post.
CloudFlare WAF as a temporary solution
While an official patch to the software issues is yet to be released, content delivery network (CDN) provider CloudFlare has rolled out a web application firewall (WAF) from its side to resist the vulnerability its clients from the vulnerability.
The security issues are likely to be formally addressed in the next version of ImageMagick that would be out in the coming days. But till then, you need to have a side from this newly emerged ImageTragick.