ImageMagick Exposed: Two Critical Vulnerabilities Found
Cybersecurity experts have identified serious security flaws in the widely-used open source software, ImageMagick, which could result in denial-of-service (DoS) attacks and unauthorized information disclosure. Discovered by the Latin American cybersecurity firm Metabase Q in version 7.1.0-49, these vulnerabilities were subsequently addressed in an updated release, version 7.1.0-52, issued in November 2022.
The vulnerabilities are specifically categorized as CVE-2022-44267, a DoS issue triggered by parsing a PNG image with a filename designated as a single dash (“-“), and CVE-2022-44268, an information disclosure vulnerability that could enable attackers to read arbitrary files from a server through crafted image parsing. For these flaws to be exploited, an attacker would require the ability to upload a malicious image to any web application utilizing ImageMagick.
The exploitation method involves the manipulation of a text chunk within the PNG image, allowing the attacker to specify metadata, including the contentious filename characteristic. As indicated by the researchers, if ImageMagick encounters a filename of “-“, it will attempt to read data from standard input, creating the risk of a perpetual wait state, potentially stalling system performance and availability.
Additionally, should the filename reference an actual file on the server’s file system—such as “/etc/passwd”—the image processing operation may inadvertently integrate sensitive information into the resultant image. This poses considerable risks not only to server integrity but also to the confidentiality of the data being processed.
The attack vectors associated with these vulnerabilities align with several techniques outlined in the MITRE ATT&CK framework. The initial access and leveraging data from the system could signify how adversaries might navigate this exploit. Furthermore, the potential for privilege escalation exists, particularly if the attacker can manipulate uploaded images to obtain unauthorized access to critical data.
This latest revelation marks another chapter in ImageMagick’s history of cybersecurity challenges. Previously, vulnerabilities such as the critical “ImageTragick” flaw discovered in May 2016 showcased the software’s susceptibility to remote code execution when processing user-supplied images. A subsequent shell injection vulnerability surfaced in November 2020, demonstrating how attackers could execute arbitrary commands while converting protected PDFs to images.
As businesses increasingly rely on image processing systems like ImageMagick for various applications, understanding and mitigating these vulnerabilities becomes essential for safeguarding organizational assets. Being proactive in updating and patching software, alongside rigorous security monitoring, are vital steps in defending against such attacks. Cybersecurity should remain a focal point for business owners as they navigate the digital landscape, ensuring that they remain protected against evolving threats.