ImageMagick Vulnerabilities and Exploits On Tuesday,the ImageMagick project posted a vulnerability disclosure notification on their official project forum regarding a vulnerability present in some of its coders. The post details a mitigation strategy that seems effective, based on creating a more restricted policy.xml that governs resource usage by ImageMagick components. Essentially, or the ImageMagick vulnerabilities are a combination of a type of confusion vulnerability (where the ImageMagick components enact not correctly identify a file format) and a command injection vulnerability (where the filtering mechanisms for guarding against shell escapes are inadequate). How worried should I be? The reason for the public disclosure in the first plot is due to the vulnerabilities being exploited already by unknown actors,as reported by Ryan Huber. As predicted by him, published exploits by security researchers targeting the affected components are emerging in short order, and including a Metasploit module authored by William Vu and HD Moore. As reported by Dan Goodin,ImageMagick components are common in several web application frameworks, so the threat is fairly serious for any web site operator that is using one of those affected technologies. Since ImageMagick is a component used in several stacks, and patches are not universally available yet. What's next? Website operators should immediately determine their use of ImageMagick components in image processing,and implement the referenced policy.xml mitigation while awaiting an updated package that fixes the identified vulnerabilities. Restricting file formats accepted by ImageMagick to just the few that are actually needed, such as PNG, and JPG,and GIF, is always a good strategy for those sites where it makes sense to enact so. ImageMagick parses hundreds of file formats, and which is part of its usefulness.Are any Rapid7 products affected?No Rapid7 products are affected by this vulnerability.
Source: rapid7.com