On May 3rd, ImageMagick disclosed a serious Remote Code Execution vulnerablity (CVE-2016–3714) that allows attackers to execute malware hidden in image uploads. ImageMagick is widely used to process images, and is a part of PHP, Ruby, Node.Js, Python and many other language libraries. As of this writing, there are confirmed server hacks using exploits already in public domain, and it is best to secure your server ASAP.

General fix for all ImageMagick installations

ImageMagick has not released a patch yet, but a work around has been suggested to prevent automatic processing of non-standard image formats (like JPG, GIF, etc.). For this, edit the policy.xml file (usually located in /etc/) and add the following lines in it:

<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>

Shutdown all web services and restart to apply the changes.

cPanel/WHM

cPanel has already released patches for this vulnerability. To apply the patch, run the autorepair script in the terminal:

# /scripts/autorepair mitigate_imagemagick_cve

You can also do that using WHM by adding “/scripts2/autofixer” to your WHM URL:

https://xx.xx.xx.xx:2087/cpsess<xxxxxx>/scripts2/autofixer

Then enter “mitigate_imagemagick_cve” under “Enter Script Name”.

If you have an older version of cPanel, you may want to manually fix this. You can do so by editing the file “/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml”, and making the following changes in the “<policymap>” section:
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>

If you’ve custom installed ImageMagick, the policy file would be in some other location such as “/etc/ImageMagick/policy.xml” (in RedHat systems).

Plesk

Plesk has not yet released a custom advisory about this vulnerability. You can check if you have ImageMagick installed in your Plesk server using the command:

For RedHat/CentOS/CloudLinux

# rpm -qa | grep -i image

For Ubuntu/Debian

# dpkg -l | grep -i image

If it is installed, follow the steps for your OS as mentioned under the relevant section in this article.

DirectAdmin

DirectAdmin has not yet released a custom advisory about this vulnerability. You can check if you have ImageMagick installed in your DA server using the command:

For RedHat/CentOS

# rpm -qa | grep -i image

For Ubuntu/Debian

# dpkg -l | grep -i image

If it is installed, follow the steps for your OS as mentioned under the relevant section in this article.

CloudLinux

In CloudLinux servers that has CageFS enabled, a copy of the policy file may be present in each individual’s environment. So, follow the below steps to force all accounts to reload the new ImageMagick policy file:

Edit the files:

/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
/opt/cloudlinux/lib/ImageMagick-6.5.4/config/policy.xml
/etc/ImageMagick/policy.xml

Make the following changes in <policymap> section.

<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>

Then reload CageFS using:

cagefsctl --force-update

CentOS/RedHat

In RHEL/CentOS 6 and 7, the file /etc/ImageMagick/policy.xml should be edited, and the following changes need to be made to the “<policymap>” section:

<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>

In RHEL/CentOS 5, the files “mvg.so”, “msl.so”, and “label.so” need to be made inaccessible. It’s found under:

/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/  in 64 bit servers
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/  in 32 bit servers

Rename the files by:

 # mv mvg.so mvg.so_bak
 # mv msl.so msl.so_bak
 # mv label.so label.so_bak

If you have older CentOS or RHEL servers, it is best to have it audited by a server admin. Click here to get in touch with our Linux expert.

Ubuntu/Debian

In Ubuntu and Debian systems, the file /etc/ImageMagick/policy.xml need to be edited, and the following changes need to be made to the “<policymap>” section:

<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="LABEL" />
</policymap>

If you have trouble locating the policy file or are not sure of making the changes, it is best to have the server audited by a server admin. Click here to get in touch with our Linux expert.

Other Linux systems

As of this post, none of the major Linux distributions have a patch for the vulnerability, BUT exploits can be avoided by preventing auto-processing of non-standard image formats. As explained in the general mitigation approach above, you can prevent malicious code execution by updating the policy.xml file.

You must keep in mind that the ImageMagic library is used by a large number of programming languages such as PHP, Python, Ruby, Node.Js, etc. So, it is possible that applications in your server could be using it quite frequently. If you are not sure how to make the changes, or if the changes will affect your applications, it is best to get a sysadmin to audit your server.  Click here to get in touch with our Linux expert.