cPanel Security Team - CVE-2016-3714 ImageMagick
cPanel Security Team - CVE-2016-3714 ImageMagick
Background Information
On Tuesday, May 3 2016, ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software
package commonly used by web services to process images.
Impact
One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE).
Releases
ImageMagick has not released a fix, but plans to publish a new version of ImageMagic with the fixes soon. cPanel normally releases all builds at once in order to limit the ability to reverse engineer fixes. However, this vulnerability is already wildly known and we have seen reports of its use. In this instance, we plan to release builds as soon as they become available.
At this time the following builds are available:
11.56 11.56.0.13
EDGE 11.55.9999.193
CURRENT 11.56.0.13
RELEASE 11.56.0.13
How to determine if your server is up to date
The updated RPMs provided by cPanel will contain a changelog entry with a CVE number. To view this changelog entry run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714
The output should resemble below:
- - - Apply workaround for CVE-2016-3714
What to do if you are not up to date
If your server is not running one of the above versions, update immediately.
To upgrade your server, navigate to WHM's Upgrade to Latest Version interface (Home >> cPanel >> Upgrade to Latest Version) and click 'Click to Upgrade'.
To upgrade cPanel from the command line run the following commands:
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list
To verify the new cpanel-ImageMagick RPM was installed run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714
The output should resemble the following:
- - - Apply workaround for CVE-2016-3714
Manual mitigation
We will publish builds for 11.54, 11.52 and 11.50 as soon as they become available. For 11.54, 11.52, and 11.50, you can manually mitigate this vulnerability with the following instructions.
Open the following file:
/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml
Update the file to match the policy example below to disable the EPHEMERAL, URL, HTTPS, MVG, and MSL coders:
How to mitigate the vulnerability for other ImageMagick installations
If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
CVE:
For the PGP-Signed version of this document please visit CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation
-
For systems running CloudLinux, there are a couple other files that you will also need to change. See the CloudLinux blog for details at: ImageMagick Filtering Vulnerability - CVE-2016-3714 Question for @cPanelCory -- I noticed that CloudLinux has a couple extra policymap lines -- what are your thoughts about adding those to the cPanel fix as well? - Scott 0 -
I noticed that the WHM 54 LTS update last night did install a new cpanel-ImageMagick RPM [2016-05-05 01:30:16 -0400] Installing new rpms: cpanel-ImageMagick-6.9.0-4.cp1154.x86_64.rpm rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714 - Apply workaround for CVE-2016-3714 I had already modified my own policy files prior to this. Of course, the update didn't touch the CL-included ImageMagick policy file (and I wouldn't expect it to I guess), and anyone running Cloudlinux should follow CL's instructions on their blog for thoroughness ( ImageMagick Filtering Vulnerability - CVE-2016-3714 ). CloudLinux instructs how/where to modify ALL applicable policy.xml files and actually disables more patterns than what the cPanel instructions disables). find / -name policy.xml -type f|xargs ls -alt -rw-r--r-- 1 root root 2747 May 4 15:07 /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml -rw-r--r-- 1 root root 2747 May 4 15:07 /usr/share/cagefs-skeleton/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml -rw-r--r-- 1 root root 2778 May 3 22:16 /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml stat /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml File: `/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml' Size: 2747 Blocks: 8 IO Block: 4096 regular file Device: 803h/2051d Inode: 13370477 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-04 15:20:32.872036362 -0400 Modify: 2016-05-04 15:07:09.731442395 -0400 Change: 2016-05-04 15:07:09.731442395 -0400 stat /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml File: `/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml' Size: 2778 Blocks: 8 IO Block: 4096 regular file Device: 803h/2051d Inode: 7738665 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-05 01:30:33.517967565 -0400 Modify: 2016-05-03 22:16:47.000000000 -0400 Change: 2016-05-05 01:30:16.092004023 -0400 So, in summary: 1. is it safe to assume that since the update accessed-changed /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml, that the reason why it didn't actually modify it is because it compared the contents and found the workaround already in those files? 2. CloudLinux suggests disabling two more coders as well as modifying additional CL-specific files and running cagefsctl --force-update. See this post: ImageMagick Filtering Vulnerability - CVE-2016-3714 3. Redhat and ImageMagick suggest disabling more coders and adding another line. But they appear to suggest that the "path" line addition is only something available in the latest ImageMagick versions and [I'm guessing] probably would not have any effect if policy.xml in older versions was edited further. ImageMagick Security Issue - ImageMagick ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal So it's really hard to tell if people not running the latest ImageMagick should add the line. I just thought I'd mention the Redhat / ImageMagick URls since they both appear to have been updated since yesterday. Mike 0 -
It appears that RedHat's mitigation directions have NINE additions to the policymap vs cPanel's FIVE: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal - Scott 0 -
This issue continues to evolve as new information rolls in. The coders we recommend to disable are effective against the payloads discovered initially, but it would be prudent to follow RedHat's recommendations since they have diverged from the original guidance. It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal If you manually modified /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml it's likely the patch would have failed when you updated, and you will probably also get RPM verify failure notifications, but it will still have the desired mitigation impact. We will provide additional information as necessary at the knowledge base article linked below: CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation 0 -
How to Update cpanel-ImageMagick to 6.9.0-4.cp1154 ? [security] Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154.
0 -
I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16 0 -
I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16
Hello, You can review the "How to determine if your server is up to date" section of the following document: CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation Please also see this quote from the earlier post to this thread:How to mitigate the vulnerability for other ImageMagick installations If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
Thank you.0 -
Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ? [Update about the ImagMagick Vulnerability] The guys from ImageTragick have updated the exclusion list you must enter in policy.xml. Here is the latest list: 0 -
Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ?
Hello, I've moved your post into this thread. Here's a quote from a post above:It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal
Thank you.0 -
@cPanelMichael, Thanks a lot for this info ! 0 -
Seems that there is yet another issue that needs dealing with blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html 0
Please sign in to leave a comment.
Comments
11 comments