Skip to main content

cPanel Security Team - CVE-2016-3714 ImageMagick

Comments

11 comments

  • sneader
    For systems running CloudLinux, there are a couple other files that you will also need to change. See the CloudLinux blog for details at: ImageMagick Filtering Vulnerability - CVE-2016-3714 Question for @cPanelCory -- I noticed that CloudLinux has a couple extra policymap lines -- what are your thoughts about adding those to the cPanel fix as well? - Scott
    0
  • mtindor
    I noticed that the WHM 54 LTS update last night did install a new cpanel-ImageMagick RPM [2016-05-05 01:30:16 -0400] Installing new rpms: cpanel-ImageMagick-6.9.0-4.cp1154.x86_64.rpm rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714 - Apply workaround for CVE-2016-3714 I had already modified my own policy files prior to this. Of course, the update didn't touch the CL-included ImageMagick policy file (and I wouldn't expect it to I guess), and anyone running Cloudlinux should follow CL's instructions on their blog for thoroughness ( ImageMagick Filtering Vulnerability - CVE-2016-3714 ). CloudLinux instructs how/where to modify ALL applicable policy.xml files and actually disables more patterns than what the cPanel instructions disables). find / -name policy.xml -type f|xargs ls -alt -rw-r--r-- 1 root root 2747 May 4 15:07 /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml -rw-r--r-- 1 root root 2747 May 4 15:07 /usr/share/cagefs-skeleton/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml -rw-r--r-- 1 root root 2778 May 3 22:16 /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml stat /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml File: `/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml' Size: 2747 Blocks: 8 IO Block: 4096 regular file Device: 803h/2051d Inode: 13370477 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-04 15:20:32.872036362 -0400 Modify: 2016-05-04 15:07:09.731442395 -0400 Change: 2016-05-04 15:07:09.731442395 -0400 stat /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml File: `/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml' Size: 2778 Blocks: 8 IO Block: 4096 regular file Device: 803h/2051d Inode: 7738665 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-05 01:30:33.517967565 -0400 Modify: 2016-05-03 22:16:47.000000000 -0400 Change: 2016-05-05 01:30:16.092004023 -0400 So, in summary: 1. is it safe to assume that since the update accessed-changed /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml, that the reason why it didn't actually modify it is because it compared the contents and found the workaround already in those files? 2. CloudLinux suggests disabling two more coders as well as modifying additional CL-specific files and running cagefsctl --force-update. See this post: ImageMagick Filtering Vulnerability - CVE-2016-3714 3. Redhat and ImageMagick suggest disabling more coders and adding another line. But they appear to suggest that the "path" line addition is only something available in the latest ImageMagick versions and [I'm guessing] probably would not have any effect if policy.xml in older versions was edited further. ImageMagick Security Issue - ImageMagick ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal So it's really hard to tell if people not running the latest ImageMagick should add the line. I just thought I'd mention the Redhat / ImageMagick URls since they both appear to have been updated since yesterday. Mike
    0
  • sneader
    It appears that RedHat's mitigation directions have NINE additions to the policymap vs cPanel's FIVE: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal - Scott
    0
  • cPanelJackson
    This issue continues to evolve as new information rolls in. The coders we recommend to disable are effective against the payloads discovered initially, but it would be prudent to follow RedHat's recommendations since they have diverged from the original guidance. It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal If you manually modified /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml it's likely the patch would have failed when you updated, and you will probably also get RPM verify failure notifications, but it will still have the desired mitigation impact. We will provide additional information as necessary at the knowledge base article linked below: CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation
    0
  • Nirjonadda
    How to Update cpanel-ImageMagick to 6.9.0-4.cp1154 ?
    [security] Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154.
    0
  • Nirjonadda
    I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16
    0
  • cPanelMichael
    I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16

    Hello, You can review the "How to determine if your server is up to date" section of the following document: CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation Please also see this quote from the earlier post to this thread:
    How to mitigate the vulnerability for other ImageMagick installations If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:

    Thank you.
    0
  • gryzli
    Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ? [Update about the ImagMagick Vulnerability] The guys from ImageTragick have updated the exclusion list you must enter in policy.xml. Here is the latest list:

    0
  • cPanelMichael
    Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ?

    Hello, I've moved your post into this thread. Here's a quote from a post above:
    It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal

    Thank you.
    0
  • gryzli
    @cPanelMichael, Thanks a lot for this info !
    0
  • rpvw
    Seems that there is yet another issue that needs dealing with blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html
    0

Please sign in to leave a comment.