The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Security Team - CVE-2016-3714 ImageMagick

Discussion in 'cPanel Announcements' started by cPanelCory, May 4, 2016.

  1. cPanelCory

    cPanelCory Developer - cPanel Security Team
    Staff Member

    Joined:
    Jan 18, 2008
    Messages:
    69
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Houston
    cPanel Access Level:
    Root Administrator
    cPanel Security Team - CVE-2016-3714 ImageMagick


    Background Information

    On Tuesday, May 3 2016, ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software
    package commonly used by web services to process images.


    Impact

    One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE).


    Releases

    ImageMagick has not released a fix, but plans to publish a new version of ImageMagic with the fixes soon. cPanel normally releases all builds at once in order to limit the ability to reverse engineer fixes. However, this vulnerability is already wildly known and we have seen reports of its use. In this instance, we plan to release builds as soon as they become available.

    At this time the following builds are available:
    11.56 11.56.0.13
    EDGE 11.55.9999.193
    CURRENT 11.56.0.13
    RELEASE 11.56.0.13


    How to determine if your server is up to date

    The updated RPMs provided by cPanel will contain a changelog entry with a CVE number. To view this changelog entry run the following command:
    rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714

    The output should resemble below:
    - - - Apply workaround for CVE-2016-3714


    What to do if you are not up to date

    If your server is not running one of the above versions, update immediately.

    To upgrade your server, navigate to WHM's Upgrade to Latest Version interface (Home >> cPanel >> Upgrade to Latest Version) and click 'Click to Upgrade'.

    To upgrade cPanel from the command line run the following commands:
    /scripts/upcp
    /scripts/check_cpanel_rpms --fix --long-list

    To verify the new cpanel-ImageMagick RPM was installed run the following command:
    rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714

    The output should resemble the following:
    - - - Apply workaround for CVE-2016-3714


    Manual mitigation

    We will publish builds for 11.54, 11.52 and 11.50 as soon as they become available. For 11.54, 11.52, and 11.50, you can manually mitigate this vulnerability with the following instructions.

    Open the following file:
    /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml

    Update the file to match the policy example below to disable the EPHEMERAL, URL, HTTPS, MVG, and MSL coders:
    <policymap>
    <policy domain="coder" rights="none" pattern="EPHEMERAL" />
    <policy domain="coder" rights="none" pattern="URL" />
    <policy domain="coder" rights="none" pattern="HTTPS" />
    <policy domain="coder" rights="none" pattern="MVG" />
    <policy domain="coder" rights="none" pattern="MSL" />
    </policymap>


    How to mitigate the vulnerability for other ImageMagick installations

    If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
    <policymap>
    <policy domain="coder" rights="none" pattern="EPHEMERAL" />
    <policy domain="coder" rights="none" pattern="URL" />
    <policy domain="coder" rights="none" pattern="HTTPS" />
    <policy domain="coder" rights="none" pattern="MVG" />
    <policy domain="coder" rights="none" pattern="MSL" />
    </policymap>


    CVE: CVE - CVE-2016-3714
    Disclosure: ImageMagick Security Issue - ImageMagick

    For the PGP-Signed version of this document please visit https://news.cpanel.com/wp-content/uploads/2016/05/imagemagick-announcement.signed-4.txt

    For additional updates please follow our Knowledge Base article here:
    CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation
     
    #1 cPanelCory, May 4, 2016
    Last edited: May 5, 2016
    eva2000 likes this.
  2. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    For systems running CloudLinux, there are a couple other files that you will also need to change. See the CloudLinux blog for details at:

    ImageMagick Filtering Vulnerability - CVE-2016-3714

    Question for @cPanelCory -- I noticed that CloudLinux has a couple extra policymap lines -- what are your thoughts about adding those to the cPanel fix as well?

    - Scott
     
    mtindor likes this.
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I noticed that the WHM 54 LTS update last night did install a new cpanel-ImageMagick RPM

    [2016-05-05 01:30:16 -0400] Installing new rpms: cpanel-ImageMagick-6.9.0-4.cp1154.x86_64.rpm

    rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714
    - Apply workaround for CVE-2016-3714

    I had already modified my own policy files prior to this. Of course, the update didn't touch the CL-included ImageMagick policy file (and I wouldn't expect it to I guess), and anyone running Cloudlinux should follow CL's instructions on their blog for thoroughness ( ImageMagick Filtering Vulnerability - CVE-2016-3714 ). CloudLinux instructs how/where to modify ALL applicable policy.xml files and actually disables more patterns than what the cPanel instructions disables).

    find / -name policy.xml -type f|xargs ls -alt
    -rw-r--r-- 1 root root 2747 May 4 15:07 /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
    -rw-r--r-- 1 root root 2747 May 4 15:07 /usr/share/cagefs-skeleton/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
    -rw-r--r-- 1 root root 2778 May 3 22:16 /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml

    stat /opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml
    File: `/opt/alt/alt-ImageMagick/etc/ImageMagick-6/policy.xml'
    Size: 2747 Blocks: 8 IO Block: 4096 regular file
    Device: 803h/2051d Inode: 13370477 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
    Access: 2016-05-04 15:20:32.872036362 -0400
    Modify: 2016-05-04 15:07:09.731442395 -0400
    Change: 2016-05-04 15:07:09.731442395 -0400

    stat /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml
    File: `/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml'
    Size: 2778 Blocks: 8 IO Block: 4096 regular file
    Device: 803h/2051d Inode: 7738665 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
    Access: 2016-05-05 01:30:33.517967565 -0400
    Modify: 2016-05-03 22:16:47.000000000 -0400
    Change: 2016-05-05 01:30:16.092004023 -0400

    So, in summary:

    1. is it safe to assume that since the update accessed-changed /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml, that the reason why it didn't actually modify it is because it compared the contents and found the workaround already in those files?

    2. CloudLinux suggests disabling two more coders as well as modifying additional CL-specific files and running cagefsctl --force-update. See this post:

    ImageMagick Filtering Vulnerability - CVE-2016-3714

    3. Redhat and ImageMagick suggest disabling more coders and adding another line.

    But they appear to suggest that the "path" line addition is only something available in the latest ImageMagick versions and [I'm guessing] probably would not have any effect if policy.xml in older versions was edited further.

    ImageMagick Security Issue - ImageMagick

    ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal

    So it's really hard to tell if people not running the latest ImageMagick should add the line.

    I just thought I'd mention the Redhat / ImageMagick URls since they both appear to have been updated since yesterday.

    Mike
     
    #3 mtindor, May 5, 2016
    Last edited: May 5, 2016
    eva2000 likes this.
  4. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    eva2000 and mtindor like this.
  5. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    This issue continues to evolve as new information rolls in. The coders we recommend to disable are effective against the payloads discovered initially, but it would be prudent to follow RedHat's recommendations since they have diverged from the original guidance.

    It is also worth noting that RedHat has marked the CentOS5 ImageMagick package as "won't fix", we therefore recommend you either remove the CentOS5 provided ImageMagick package or follow the mitigation steps listed in their security advisory:
    ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal

    If you manually modified /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml it's likely the patch would have failed when you updated, and you will probably also get RPM verify failure notifications, but it will still have the desired mitigation impact.



    We will provide additional information as necessary at the knowledge base article linked below:

    CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation
     
    eva2000 likes this.
  6. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    150
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    How to Update cpanel-ImageMagick to 6.9.0-4.cp1154 ?

    Code:
    [security] Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154.
     

    Attached Files:

  7. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    150
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    I have updeted cPanel to 56.0 (build 14) but Still are Imagick compiled with ImageMagick version ImageMagick 6.7.2-7 2015-07-23 Q16
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    647
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can review the "How to determine if your server is up to date" section of the following document:

    CVE-2016-3714 ImageMagick - cPanel Knowledge Base - cPanel Documentation

    Please also see this quote from the earlier post to this thread:

    Thank you.
     
  9. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
    Do you guys know any fixes for Centos 5.x based systems, which use ImageMagick 6.2.8, where policy.xml is not supported ?

    [Update about the ImagMagick Vulnerability]

    The guys from ImageTragick have updated the exclusion list you must enter in policy.xml. Here is the latest list:
    Code:
    <policymap>
      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="URL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />
      <policy domain="coder" rights="none" pattern="TEXT" />
      <policy domain="coder" rights="none" pattern="SHOW" />
      <policy domain="coder" rights="none" pattern="WIN" />
      <policy domain="coder" rights="none" pattern="PLT" />
    </policymap>
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    647
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I've moved your post into this thread. Here's a quote from a post above:

    Thank you.
     
  11. gryzli

    gryzli Active Member

    Joined:
    Jul 23, 2012
    Messages:
    44
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Twitter:
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    118
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Seems that there is yet another issue that needs dealing with

    blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html
     
    #12 rpvw, May 11, 2016
    Last edited by a moderator: May 11, 2016
Loading...

Share This Page