On May 3rd, ImageMagick disclosed a serious Remote Code Execution vulnerablity (CVE-2016–3714) that allows attackers to execute malware hidden in image uploads. ImageMagick is widely used to process images, and is a part of PHP, Ruby, Node.Js, Python and many other language libraries. As of this writing, there are confirmed server hacks using exploits already in public domain, and it is best to secure your server ASAP.
General fix for all ImageMagick installations
ImageMagick has not released a patch yet, but a work around has been suggested to prevent automatic processing of non-standard image formats (like JPG, GIF, etc.). For this, edit the policy.xml file (usually located in /etc/) and add the following lines in it:
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>Copy CodeShutdown all web services and restart to apply the changes.
cPanel/WHM
cPanel has already released patches for this vulnerability. To apply the patch, run the autorepair script in the terminal:
# /scripts/autorepair mitigate_imagemagick_cve
You can also do that using WHM by adding “/scripts2/autofixer” to your WHM URL:
https://xx.xx.xx.xx:2087/cpsess<xxxxxx>/scripts2/autofixer
Then enter “mitigate_imagemagick_cve” under “Enter Script Name”.
If you have an older version of cPanel, you may want to manually fix this. You can do so by editing the file “/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml”, and making the following changes in the “<policymap>” section:
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>Copy CodeIf you’ve custom installed ImageMagick, the policy file would be in some other location such as “/etc/ImageMagick/policy.xml” (in RedHat systems).
Plesk
Plesk has not yet released a custom advisory about this vulnerability. You can check if you have ImageMagick installed in your Plesk server using the command:
For RedHat/CentOS/CloudLinux
# rpm -qa | grep -i image
For Ubuntu/Debian
# dpkg -l | grep -i image
If it is installed, follow the steps for your OS as mentioned under the relevant section in this article.
DirectAdmin
DirectAdmin has not yet released a custom advisory about this vulnerability. You can check if you have ImageMagick installed in your DA server using the command:
For RedHat/CentOS
# rpm -qa | grep -i image
For Ubuntu/Debian
# dpkg -l | grep -i image
If it is installed, follow the steps for your OS as mentioned under the relevant section in this article.
CloudLinux
In CloudLinux servers that has CageFS enabled, a copy of the policy file may be present in each individual’s environment. So, follow the below steps to force all accounts to reload the new ImageMagick policy file:
Edit the files:
/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
/opt/cloudlinux/lib/ImageMagick-6.5.4/config/policy.xml
/etc/ImageMagick/policy.xml
Make the following changes in <policymap> section.
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>Copy CodeThen reload CageFS using:
cagefsctl --force-update
CentOS/RedHat
In RHEL/CentOS 6 and 7, the file /etc/ImageMagick/policy.xml should be edited, and the following changes need to be made to the “<policymap>” section:
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>Copy CodeIn RHEL/CentOS 5, the files “mvg.so”, “msl.so”, and “label.so” need to be made inaccessible. It’s found under:
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ in 64 bit servers
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ in 32 bit servers
Rename the files by:
# mv mvg.so mvg.so_bak # mv msl.so msl.so_bak # mv label.so label.so_bak
If you have older CentOS or RHEL servers, it is best to have it audited by a server admin. Click here to get in touch with our Linux expert.
Ubuntu/Debian
In Ubuntu and Debian systems, the file /etc/ImageMagick/policy.xml need to be edited, and the following changes need to be made to the “<policymap>” section:
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>Copy CodeIf you have trouble locating the policy file or are not sure of making the changes, it is best to have the server audited by a server admin. Click here to get in touch with our Linux expert.
Other Linux systems
As of this post, none of the major Linux distributions have a patch for the vulnerability, BUT exploits can be avoided by preventing auto-processing of non-standard image formats. As explained in the general mitigation approach above, you can prevent malicious code execution by updating the policy.xml file.
You must keep in mind that the ImageMagic library is used by a large number of programming languages such as PHP, Python, Ruby, Node.Js, etc. So, it is possible that applications in your server could be using it quite frequently. If you are not sure how to make the changes, or if the changes will affect your applications, it is best to get a sysadmin to audit your server. Click here to get in touch with our Linux expert.
Secure your servers at $49/sev
We audit your servers, check if ImageMagick vulnerability exists, and mitigate the vulnerability.
0 Comments