ImageMagick Vulnerabilities -  CVE-2016–3714

Dear Zhihua Lai (Ranplan),

New Vulnerabilities (CVE-2016–3714) in ImageMagick used by most Linux server OS's.

You can read the article on the redhat online security blog: http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/

About the vulnerability:

The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

Background Information:

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post published Tuesday. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."

ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven't issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can't immediately be put in place.

If you are not a QuickHostUK Managed Hosting customer please ensure you have also taken the appropriate actions to secure your own servers. Alternatively, we can handle this for you with our adhoc management scheme, which for this occurrence would be £50 inc VAT per server.

Please contact us if you wish to utilise this service or if you have any questions.

Kind Regards,

QuickHostUK Limited

Email: [email protected]
Web: www.quickhostuk.com
Phone: 0845 576 0523

Copyright © 2016 QuickHostUK Limited - All Rights Reserved.
Registered in England and Wales. No. 08582667 | VAT Reg No: GB 131 1695 38

Follow us on Twitter for news & live updates - https://twitter.com/QuickHostUK
Tell us what you think - https://www.facebook.com/QuickHostUK?sk=reviews

visit our website | log in to your account | get support
Copyright © QuickHostUK, All rights reserved.