Welcome to Centmin Mod Community
Register Now

Security ImageMagick vulnerabilities CVE-2016-3714 (imagetragick) active exploitation confirmed

Discussion in 'CentOS, Redhat & Oracle Linux News' started by Revenge, May 4, 2016.

  1. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    9:42 PM
    1.9.x
    10.1.x
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    11:42 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Is it patched on latest versions?

    Does a yum update keep us safe?
     
  3. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    9:42 PM
    1.9.x
    10.1.x
    Not yet i think.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    7:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update: for Centmin Mod LEMP users, yum has update for fixed ImageMagick 6.9.3-10 version of the system package - see details here

    Follow instructions at ImageMagick Security Issue - ImageMagick should be sufficient - updated by Redhat to extend the policy.xml at Security - ImageMagick vulnerabilities place countless websites at risk, active exploitation confirmed | Page 2 | Centmin Mod Community :)

    before
    Code (Text):
    convert -list policy
    
    Path: /etc/ImageMagick-last/ImageMagick-6/policy.xml
      Policy: Unrecognized
        rights: None
    
    Path: [built-in]
      Policy: Undefined
        rights: None 

    after editing /etc/ImageMagick-last/ImageMagick-6/policy.xml
    Code (Text):
    convert -list policy                                        
    Path: /etc/ImageMagick-last/ImageMagick-6/policy.xml
      Policy: Unrecognized
        rights: None
      Policy: Coder
        rights: None
        pattern: EPHEMERAL
      Policy: Coder
        rights: None
        pattern: HTTPS
      Policy: Coder
        rights: None
        pattern: HTTP
      Policy: Coder
        rights: None
        pattern: URL
      Policy: Coder
        rights: None
        pattern: FTP
      Policy: Coder
        rights: None
        pattern: MVG
      Policy: Coder
        rights: None
        pattern: MSL
      Policy: Coder
        rights: None
        pattern: TEXT
      Policy: Coder
        rights: None
        pattern: LABEL
      Policy: Path
        rights: None
        pattern: @*
    
    Path: [built-in]
      Policy: Undefined
        rights: None
    


    and fixed ImageMagick 6.9.3-10
    Code (Text):
    php --ri imagick
    
    imagick
    
    imagick module => enabled
    imagick module version => 3.4.2
    imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator, ImagickKernel
    Imagick compiled with ImageMagick version => ImageMagick 6.9.3-10 Q16 x86_64 2016-05-04 http://www.imagemagick.org
    Imagick using ImageMagick library version => ImageMagick 6.9.3-10 Q16 x86_64 2016-05-04 http://www.imagemagick.org
    ImageMagick copyright => Copyright (C) 1999-2016 ImageMagick Studio LLC
    ImageMagick release date => 2016-05-04
    ImageMagick number of supported formats:  => 225
    ImageMagick supported formats => 3FR, AAI, AI, ART, ARW, AVI, AVS, BGR, BGRA, BGRO, BIE, BMP, BMP2, BMP3, BRF, CAL, CALS, CANVAS, CAPTION, CIN, CIP, CLIP, CMYK, CMYKA, CR2, CRW, CUR, CUT, DATA, DCM, DCR, DCX, DDS, DFONT, DNG, DOT, DPX, DXT1, DXT5, EPDF, EPI, EPS, EPS2, EPS3, EPSF, EPSI, EPT, EPT2, EPT3, ERF, EXR, FAX, FITS, FRACTAL, FTS, G3, GIF, GIF87, GRADIENT, GRAY, GROUP4, GV, H, HALD, HDR, HISTOGRAM, HRZ, HTM, HTML, ICB, ICO, ICON, IIQ, INFO, INLINE, IPL, ISOBRL, ISOBRL6, JBG, JBIG, JNG, JNX, JPE, JPEG, JPG, JPS, JSON, K25, KDC, LABEL, M2V, M4V, MAC, MAGICK, MAP, MASK, MAT, MATTE, MEF, MIFF, MKV, MNG, MONO, MOV, MP4, MPC, MPEG, MPG, MRW, MSL, MSVG, MTV, MVG, NEF, NRW, NULL, ORF, OTB, OTF, PAL, PALM, PAM, PANGO, PATTERN, PBM, PCD, PCDS, PCL, PCT, PCX, PDB, PDF, PDFA, PEF, PES, PFA, PFB, PFM, PGM, PICON, PICT, PIX, PJPEG, PLASMA, PNG, PNG00, PNG24, PNG32, PNG48, PNG64, PNG8, PNM, PPM, PREVIEW, PS, PS2, PS3, PSB, PSD, PTIF, PWP, RADIAL-GRADIENT, RAF, RAS, RAW, RGB, RGBA, RGBO, RGF, RLA, RLE, RMF, RW2, SCR, SCT, SFW, SGI, SHTML, SIX, SIXEL, SPARSE-COLOR, SR2, SRF, STEGANO, SUN, SVG, SVGZ, TEXT, TGA, THUMBNAIL, TIFF, TIFF64, TILE, TIM, TTC, TTF, TXT, UBRL, UBRL6, UIL, UYVY, VDA, VICAR, VID, VIFF, VIPS, VST, WBMP, WEBP, WMF, WMV, WMZ, WPG, X, X3F, XBM, XC, XCF, XPM, XPS, XV, XWD, YCbCr, YCbCrA, YUV
    
    Directive => Local Value => Master Value
    imagick.locale_fix => 0 => 0
    imagick.skip_version_check => 0 => 0
    imagick.progress_monitor => 0 => 0
    
     
    Last edited: May 11, 2016
  5. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    11:42 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Patch will be release on the weekend as i can read....

    A simple yum update will catch it when is out?
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    7:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Not yet

    after the file edit above and yum update to fixed version when it is released, run centmin.sh menu option 15 to recompile imagick php extension too
    Code (Text):
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                   
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 15
    --------------------------------------------------------
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    11:42 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    After the file edit above do i have to recompile it so the changes will be activated?
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    7:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i'd recompile as imagemagick system package as remi had an update recently too - should auto update when you run centmin.sh menu option 15
     
    Last edited: May 4, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    7:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice read

    Already deployed workaround on all my servers + all my paying clients' servers :)
     
    Last edited: May 4, 2016
  10. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    5:42 AM
    1.7.0
    5.5
    Tq Eva, already patching my server too.
     
  11. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    9:42 PM
    1.5.15
    MariaDB 10.2
    All fun and games!
     
  12. deltahf

    deltahf Premium Member Premium Member

    585
    264
    63
    Jun 8, 2014
    Ratings:
    +486
    Local Time:
    4:42 PM
    Thanks guys. Just patched my server as well. I'll keep an eye out for the updates this weekend.

    I've always been suspicious of these image manipulation libraries... they seem like such ripe targets. I'd say this exploit will be heavily abused for a long time to come. :(
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    11:42 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I did also the edit and recompile but as i can read they may be more security issues on the Imagemagick..... :(

    So we must keep a close eye on it....
     
  14. deltahf

    deltahf Premium Member Premium Member

    585
    264
    63
    Jun 8, 2014
    Ratings:
    +486
    Local Time:
    4:42 PM
    To be safe, I'd recommend switching any XenForo installations over to the PHP GD image library for now.

    It's in Options -> Attachments in the XenForo admin panel. I've always used the GD library and it has worked well for me.

    Screen Shot 2016-05-04 at 1.10.12 AM.png
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    7:42 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    read oss-security - Re: ImageMagick Is On Fire -- CVE-2016-3714

    already did here :D
     
  16. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    9:42 PM
    1.5.15
    MariaDB 10.2
    I was already using GD. I don't see any need to use imagick unless you are running XFMG.
     
  17. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    11:42 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Is there any related setting to use GD on IPB also?

    What IPB is using by default?
     
  18. deltahf

    deltahf Premium Member Premium Member

    585
    264
    63
    Jun 8, 2014
    Ratings:
    +486
    Local Time:
    4:42 PM
    Yeah, even then, I believe it's only required if you want to use the watermarking feature.
     
  19. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    9:42 PM
    1.9.x
    10.1.x
    I have changed my sites from using ImageMagick to GD. I will only change it back, when the new version is released.
     
  20. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    9:42 PM
    1.9.x
    10.1.x
    IPB Default is GD. But i was using ImageMagick. We can change it in the ACP.

    [​IMG]