cPanel Security Team - CVE-2016-3714 ImageMagick

cPanelCory

Release Manager - EasyApache
Staff member
Jan 18, 2008
69
5
133
Houston
cPanel Access Level
Root Administrator
cPanel Security Team - CVE-2016-3714 ImageMagick


Background Information

On Tuesday, May 3 2016, ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software
package commonly used by web services to process images.


Impact

One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE).


Releases

ImageMagick has not released a fix, but plans to publish a new version of ImageMagic with the fixes soon. cPanel normally releases all builds at once in order to limit the ability to reverse engineer fixes. However, this vulnerability is already wildly known and we have seen reports of its use. In this instance, we plan to release builds as soon as they become available.

At this time the following builds are available:
11.56 11.56.0.13
EDGE 11.55.9999.193
CURRENT 11.56.0.13
RELEASE 11.56.0.13


How to determine if your server is up to date

The updated RPMs provided by cPanel will contain a changelog entry with a CVE number. To view this changelog entry run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714

The output should resemble below:
- - - Apply workaround for CVE-2016-3714


What to do if you are not up to date

If your server is not running one of the above versions, update immediately.

To upgrade your server, navigate to WHM's Upgrade to Latest Version interface (Home >> cPanel >> Upgrade to Latest Version) and click 'Click to Upgrade'.

To upgrade cPanel from the command line run the following commands:
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list

To verify the new cpanel-ImageMagick RPM was installed run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714

The output should resemble the following:
- - - Apply workaround for CVE-2016-3714


Manual mitigation

We will publish builds for 11.54, 11.52 and 11.50 as soon as they become available. For 11.54, 11.52, and 11.50, you can manually mitigate this vulnerability with the following instructions.

Open the following file:
/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml

Update the file to match the policy example below to disable the EPHEMERAL, URL, HTTPS, MVG, and MSL coders:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>


How to mitigate the vulnerability for other ImageMagick installations

If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>


CVE: CVE - CVE-2016-3714
Disclosure: ImageMagick Security Issue - ImageMagick

For the PGP-Signed version of this document please visit https://news.cpanel.com/wp-content/uploads/2016/05/imagemagick-announcement.signed-4.txt

For additional updates please follow our Knowledge Base article here:
CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation
 
Last edited:
  • Like
Reactions: eva2000

sneader

Well-Known Member
Aug 21, 2003
1,176
53
178
La Crosse, WI
cPanel Access Level
Root Administrator
For systems running CloudLinux, there are a couple other files that you will also need to change. See the CloudLinux blog for details at:

ImageMagick Filtering Vulnerability - CVE-2016-3714

Question for @cPanelCory -- I noticed that CloudLinux has a couple extra policymap lines -- what are your thoughts about adding those to the cPanel fix as well?

- Scott
 
  • Like
Reactions: mtindor

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
I noticed that the WHM 54 LTS update last night did install a new cpanel-ImageMagick RPM

[2016-05-05 01:30:16 -0400] Installing new rpms: cpanel-ImageMagick-6.9.0-4.cp1154.x86_64.rpm

rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714
- Apply workaround for CVE-2016-3714

I had already modified my own policy files prior to this. Of course, the update didn't touch the CL-included ImageMagick policy file (and I wouldn't expect it to I guess), and anyone running Cloudlinux should follow CL's instructions on their blog for thoroughness ( ImageMagick Filtering Vulnerability - CVE-2016-3714 ). CloudLinux instructs how/where to modify ALL applicable policy.xml files and actually disables more patterns than what the cPanel instructions disables).

find / -name policy.xml -type f|xargs ls -alt
-rw-r--r-- 1 root root 2747 May 4 15:07 /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
-rw-r--r-- 1 root root 2747 May 4 15:07 /usr/share/cagefs-skeleton/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
-rw-r--r-- 1 root root 2778 May 3 22:16 /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml

stat /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
File: `/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml'
Size: 2747 Blocks: 8 IO Block: 4096 regular file
Device: 803h/2051d Inode: 13370477 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-05-04 15:20:32.872036362 -0400
Modify: 2016-05-04 15:07:09.731442395 -0400
Change: 2016-05-04 15:07:09.731442395 -0400

stat /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml
File: `/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml'
Size: 2778 Blocks: 8 IO Block: 4096 regular file
Device: 803h/2051d Inode: 7738665 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-05-05 01:30:33.517967565 -0400
Modify: 2016-05-03 22:16:47.000000000 -0400
Change: 2016-05-05 01:30:16.092004023 -0400

So, in summary:

1. is it safe to assume that since the update accessed-changed /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml, that the reason why it didn't actually modify it is because it compared the contents and found the workaround already in those files?

2. CloudLinux suggests disabling two more coders as well as modifying additional CL-specific files and running cagefsctl --force-update. See this post:

ImageMagick Filtering Vulnerability - CVE-2016-3714

3. Redhat and ImageMagick suggest disabling more coders and adding another line.

But they appear to suggest that the "path" line addition is only something available in the latest ImageMagick versions and [I'm guessing] probably would not have any effect if policy.xml in older versions was edited further.

ImageMagick Security Issue - ImageMagick

ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal

So it's really hard to tell if people not running the latest ImageMagick should add the line.

I just thought I'd mention the Redhat / ImageMagick URls since they both appear to have been updated since yesterday.

Mike
 
Last edited:
  • Like
Reactions: eva2000

cPanelJackson

Release Manager
Staff member
Aug 12, 2010
42
11
133
cPanel Access Level
Root Administrator
This issue continues to evolve as new information rolls in. The coders we recommend to disable are effective against the payloads discovered initially, but it would be prudent to follow RedHat's recommendations since they have diverged from the original guidance.

It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory:
ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal

If you manually modified /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml it's likely the patch would have failed when you updated, and you will probably also get RPM verify failure notifications, but it will still have the desired mitigation impact.



We will provide additional information as necessary at the knowledge base article linked below:

CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation
 
  • Like
Reactions: eva2000

Nirjonadda

Well-Known Member
May 8, 2013
724
27
78
cPanel Access Level
Root Administrator
I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,196
363
I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16
Hello,

You can review the "How to determine if your server is up to date" section of the following document:

CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation

Please also see this quote from the earlier post to this thread:

How to mitigate the vulnerability for other ImageMagick installations

If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>
Thank you.
 

gryzli

Well-Known Member
Jul 23, 2012
47
6
8
cPanel Access Level
Root Administrator
Twitter
Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ?

[Update about the ImagMagick Vulnerability]

The guys from ImageTragick have updated the exclusion list you must enter in policy.xml. Here is the latest list:
Code:
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,196
363
Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ?
Hello,

I've moved your post into this thread. Here's a quote from a post above:

It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory:
ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal
Thank you.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
454
113
UK
cPanel Access Level
Root Administrator
Seems that there is yet another issue that needs dealing with

blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html
 
Last edited by a moderator: