Want more timely Centmin Mod News Updates?
Become a Member

Security ImageMagick vulnerabilities CVE-2016-3714 (imagetragick) active exploitation confirmed

Discussion in 'CentOS, Redhat & Oracle Linux News' started by Revenge, May 4, 2016.

  1. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    3:38 AM
    1.9.x
    10.1.x
  2. pamamolf

    pamamolf Well-Known Member

    2,817
    249
    63
    May 31, 2014
    Ratings:
    +443
    Local Time:
    5:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Is it patched on latest versions?

    Does a yum update keep us safe?
     
  3. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    3:38 AM
    1.9.x
    10.1.x
    Not yet i think.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    1:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    Update: for Centmin Mod LEMP users, yum has update for fixed ImageMagick 6.9.3-10 version of the system package - see details here

    Follow instructions at ImageMagick Security Issue - ImageMagick should be sufficient - updated by Redhat to extend the policy.xml at Security - ImageMagick vulnerabilities place countless websites at risk, active exploitation confirmed | Page 2 | Centmin Mod Community :)

    before
    Code (Text):
    convert -list policy
    
    Path: /etc/ImageMagick-last/ImageMagick-6/policy.xml
      Policy: Unrecognized
        rights: None
    
    Path: [built-in]
      Policy: Undefined
        rights: None 

    after editing /etc/ImageMagick-last/ImageMagick-6/policy.xml
    Code (Text):
    convert -list policy                                        
    Path: /etc/ImageMagick-last/ImageMagick-6/policy.xml
      Policy: Unrecognized
        rights: None
      Policy: Coder
        rights: None
        pattern: EPHEMERAL
      Policy: Coder
        rights: None
        pattern: HTTPS
      Policy: Coder
        rights: None
        pattern: HTTP
      Policy: Coder
        rights: None
        pattern: URL
      Policy: Coder
        rights: None
        pattern: FTP
      Policy: Coder
        rights: None
        pattern: MVG
      Policy: Coder
        rights: None
        pattern: MSL
      Policy: Coder
        rights: None
        pattern: TEXT
      Policy: Coder
        rights: None
        pattern: LABEL
      Policy: Path
        rights: None
        pattern: @*
    
    Path: [built-in]
      Policy: Undefined
        rights: None
    


    and fixed ImageMagick 6.9.3-10
    Code (Text):
    php --ri imagick
    
    imagick
    
    imagick module => enabled
    imagick module version => 3.4.2
    imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator, ImagickKernel
    Imagick compiled with ImageMagick version => ImageMagick 6.9.3-10 Q16 x86_64 2016-05-04 http://www.imagemagick.org
    Imagick using ImageMagick library version => ImageMagick 6.9.3-10 Q16 x86_64 2016-05-04 http://www.imagemagick.org
    ImageMagick copyright => Copyright (C) 1999-2016 ImageMagick Studio LLC
    ImageMagick release date => 2016-05-04
    ImageMagick number of supported formats:  => 225
    ImageMagick supported formats => 3FR, AAI, AI, ART, ARW, AVI, AVS, BGR, BGRA, BGRO, BIE, BMP, BMP2, BMP3, BRF, CAL, CALS, CANVAS, CAPTION, CIN, CIP, CLIP, CMYK, CMYKA, CR2, CRW, CUR, CUT, DATA, DCM, DCR, DCX, DDS, DFONT, DNG, DOT, DPX, DXT1, DXT5, EPDF, EPI, EPS, EPS2, EPS3, EPSF, EPSI, EPT, EPT2, EPT3, ERF, EXR, FAX, FITS, FRACTAL, FTS, G3, GIF, GIF87, GRADIENT, GRAY, GROUP4, GV, H, HALD, HDR, HISTOGRAM, HRZ, HTM, HTML, ICB, ICO, ICON, IIQ, INFO, INLINE, IPL, ISOBRL, ISOBRL6, JBG, JBIG, JNG, JNX, JPE, JPEG, JPG, JPS, JSON, K25, KDC, LABEL, M2V, M4V, MAC, MAGICK, MAP, MASK, MAT, MATTE, MEF, MIFF, MKV, MNG, MONO, MOV, MP4, MPC, MPEG, MPG, MRW, MSL, MSVG, MTV, MVG, NEF, NRW, NULL, ORF, OTB, OTF, PAL, PALM, PAM, PANGO, PATTERN, PBM, PCD, PCDS, PCL, PCT, PCX, PDB, PDF, PDFA, PEF, PES, PFA, PFB, PFM, PGM, PICON, PICT, PIX, PJPEG, PLASMA, PNG, PNG00, PNG24, PNG32, PNG48, PNG64, PNG8, PNM, PPM, PREVIEW, PS, PS2, PS3, PSB, PSD, PTIF, PWP, RADIAL-GRADIENT, RAF, RAS, RAW, RGB, RGBA, RGBO, RGF, RLA, RLE, RMF, RW2, SCR, SCT, SFW, SGI, SHTML, SIX, SIXEL, SPARSE-COLOR, SR2, SRF, STEGANO, SUN, SVG, SVGZ, TEXT, TGA, THUMBNAIL, TIFF, TIFF64, TILE, TIM, TTC, TTF, TXT, UBRL, UBRL6, UIL, UYVY, VDA, VICAR, VID, VIFF, VIPS, VST, WBMP, WEBP, WMF, WMV, WMZ, WPG, X, X3F, XBM, XC, XCF, XPM, XPS, XV, XWD, YCbCr, YCbCrA, YUV
    
    Directive => Local Value => Master Value
    imagick.locale_fix => 0 => 0
    imagick.skip_version_check => 0 => 0
    imagick.progress_monitor => 0 => 0
    
     
    Last edited: May 11, 2016
    • Informative Informative x 2
  5. pamamolf

    pamamolf Well-Known Member

    2,817
    249
    63
    May 31, 2014
    Ratings:
    +443
    Local Time:
    5:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Patch will be release on the weekend as i can read....

    A simple yum update will catch it when is out?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    1:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    Not yet

    after the file edit above and yum update to fixed version when it is released, run centmin.sh menu option 15 to recompile imagick php extension too
    Code (Text):
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.09 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                   
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 15
    --------------------------------------------------------
     
    • Informative Informative x 2
  7. pamamolf

    pamamolf Well-Known Member

    2,817
    249
    63
    May 31, 2014
    Ratings:
    +443
    Local Time:
    5:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    After the file edit above do i have to recompile it so the changes will be activated?
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    1:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    i'd recompile as imagemagick system package as remi had an update recently too - should auto update when you run centmin.sh menu option 15
     
    Last edited: May 4, 2016
    • Like Like x 1
    • Informative Informative x 1
  9. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    1:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    nice read

    Already deployed workaround on all my servers + all my paying clients' servers :)
     
    Last edited: May 4, 2016
    • Like Like x 1
  10. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    11:38 AM
    1.7.0
    5.5
    Tq Eva, already patching my server too.
     
    • Like Like x 1
  11. Matt

    Matt Moderator Staff Member

    697
    322
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +449
    Local Time:
    3:38 AM
    1.7.1
    MariaDB 10
    All fun and games!
     
    • Agree Agree x 1
  12. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    10:38 PM
    Thanks guys. Just patched my server as well. I'll keep an eye out for the updates this weekend.

    I've always been suspicious of these image manipulation libraries... they seem like such ripe targets. I'd say this exploit will be heavily abused for a long time to come. :(
     
    • Like Like x 1
  13. pamamolf

    pamamolf Well-Known Member

    2,817
    249
    63
    May 31, 2014
    Ratings:
    +443
    Local Time:
    5:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I did also the edit and recompile but as i can read they may be more security issues on the Imagemagick..... :(

    So we must keep a close eye on it....
     
  14. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    10:38 PM
    To be safe, I'd recommend switching any XenForo installations over to the PHP GD image library for now.

    It's in Options -> Attachments in the XenForo admin panel. I've always used the GD library and it has worked well for me.

    Screen Shot 2016-05-04 at 1.10.12 AM.png
     
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    1:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    read oss-security - Re: ImageMagick Is On Fire -- CVE-2016-3714

    already did here :D
     
    • Like Like x 1
  16. Matt

    Matt Moderator Staff Member

    697
    322
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +449
    Local Time:
    3:38 AM
    1.7.1
    MariaDB 10
    I was already using GD. I don't see any need to use imagick unless you are running XFMG.
     
    • Like Like x 1
  17. pamamolf

    pamamolf Well-Known Member

    2,817
    249
    63
    May 31, 2014
    Ratings:
    +443
    Local Time:
    5:38 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Is there any related setting to use GD on IPB also?

    What IPB is using by default?
     
  18. deltahf

    deltahf Active Member

    216
    104
    43
    Jun 8, 2014
    Ratings:
    +161
    Local Time:
    10:38 PM
    Yeah, even then, I believe it's only required if you want to use the watermarking feature.
     
    • Informative Informative x 1
  19. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    3:38 AM
    1.9.x
    10.1.x
    I have changed my sites from using ImageMagick to GD. I will only change it back, when the new version is released.
     
    • Like Like x 1
  20. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    3:38 AM
    1.9.x
    10.1.x
    IPB Default is GD. But i was using ImageMagick. We can change it in the ACP.

    [​IMG]
     
    • Informative Informative x 2