====================================================================

                              CERT-Renater

                  Note d'Information No. 2016/VULN186
_____________________________________________________________________

DATE                : 04/05/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ImageMagick version prior to
                                 7.0.1-1, 6.9.3-10.

======================================================================
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
____________________________________________________________________


ImageMagick Security Issue


Postby magick » 2016-05-03T04:29:00-07:00

We have recently received vulnerability reports for certain coders,
they include possible remote code execution and ability to render files
on the local system. The ImageMagick policy was developed many years
ago to help prevent possible exploits and is discussed here:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=26801.
To prevent these possible exploits, simply add

      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />

to your policy.xml file. For HTTPS, you can also remove support by
deleting it from the delegates.xml configuration file.

We have secured these coders in ImageMagick 7.0.1-1 and 6.9.3-10
(available by this weekend) by sanitizing the HTTPS parameters and
preventing indirect reads with this policy:

      <policy domain="path" rights="none" pattern="@*" />

If you require the HTTPS, MVG, or MSL coders, the above policy is
sufficient to prevent exploits.

You can verify your policies with this command:

Code: Select all
-> convert -list policy
Path: ImageMagick-7/policy.xml
    Policy: Resource
      name: time
      value: 120
    Policy: Resource
      name: throttle
      value: 0
    Policy: Resource
      name: thread
      value: 2
    Policy: Resource
      name: file
      value: 768
    Policy: Resource
      name: disk
      value: 1GiB
    Policy: Resource
      name: map
      value: 512MiB
    Policy: Resource
      name: memory
      value: 256MiB
    Policy: Resource
      name: area
      value: 128MB
    Policy: Resource
      name: height
      value: 8KP
    Policy: Resource
      name: width
      value: 8KP
    Policy: Resource
      name: temporary-path
      value: /tmp
    Policy: System
      name: precision
      value: 6
    Policy: Unrecognized
      rights: None
    Policy: Coder
      rights: None
      pattern: MSL
    Policy: Coder
      rights: None
      pattern: MVG
    Policy: Path
      rights: None
      pattern: @*

Path: [built-in]
    Policy: Undefined
      rights: None


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================