Learn about Centmin Mod LEMP Stack today
Register Now

Security ImageMagick vulnerabilities CVE-2016-3714 (imagetragick) active exploitation confirmed

Discussion in 'CentOS, Redhat & Oracle Linux News' started by Revenge, May 4, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's output for
    Code (Text):
    convert -list policy

    Code (Text):
    php --ri imagick

    Code (Text):
    yum list ImageMagick-last*  --enablerepo=remi --disableplugin=priorities -q
    


     
  2. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    7:22 PM
    Forget it, my bad, the policy.xml get overwritten after yum update :banghead:
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    latest centmin.sh menu option 15 for 123.09beta01 auto reapplies the policy.xml fixes when ran for updates as does 123.08stable :)

    so update centmin mod code via centmin.sh menu option 23 submenu option 2
     
  4. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    7:22 PM
    So, when auto yum nightly update run, the policy.xml will overwritten again?
    Should I run option 23 Update Centmin Mod Code Base?
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes centmin.sh menu option 23 submenu option 2 to update code base first - usually i do that before running any menu options to ensure on latest code first

    but yum updates may overwrite policy.xml not sure as i haven't had an update for it to verify - did yours overwrite ? 123.09beta01 whenever you run centmin.sh it auto checks policy.xml and reapplies fixes silently too :)
     
  6. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    7:22 PM
    I've no idea about it, but it got overwritten once I run
    Code:
    yum -y update --enablerepo=remi --disableplugin=priorities
    Any links about how to safely update to 123.09beta01 from 123.08stable?
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    centmin.sh menu option 23 submenu option 3 in 1st post at Beta Branch - Centmin Mod .09 beta branch Testing | Centmin Mod Community

    and links below

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.
    So essentially, you can upgrade from .07 to .08 in place, but not everything is upgraded as some things like server initial environment setup isn't changed i.e. how swap, tmp setup and allocation are created etc. The main parts from part 2 above are what in place upgrades do i.e. Nginx and PHP-FPM compilation and config/settings parameters and MariaDB version from 5.5 to 10.0.x. If you want the full environment changed including tmp and swap setup to .08's configuration, then you would need a fresh OS install and fresh .08 initial install. You can think of it like upgrading Windows 7 to Windows 8. An in place upgrade will upgrade code but won't change your computer environment from when you installed Windows 7 i.e. disk configuration and partition sizes won't change from when you initially installed Windows 7. Only way to change that would be fresh Windows 8 install.
     
  8. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    2:22 AM
    1.17.x
    10.3.x
    Code (Text):
    ./test.sh
    testing read
    SAFE
    
    testing delete
    SAFE
    
    testing http with local port: 46016
    SAFE
    
    testing http with nonce: HNHNZY4F
    SAFE
    
    testing rce1
    SAFE
    
    testing rce2
    SAFE
    
    testing MSL
    SAFE
    Tried the PoCs. Seemed to be working properly ;)
     
  9. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    7:22 PM
    I forgot to update code base first (option 2) and straight to option 3. Is it OK?

    Should I uninstall yum-cron to prevent policy.xml overwritten when Imagick updated?
     
  10. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    2:22 AM
    1.17.x
    10.3.x
    @trxerz I believe you can exclude certain packages from yum cron. If I remember correctly, I had excluded ImageMagick from yum cron, for some reason.
     
  11. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    7:22 PM
    Halo mas bob,
    I've no idea about it, can you show me any links? especially to exclude Imagick
     
    Last edited: May 7, 2016
  12. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    2:22 AM
    1.17.x
    10.3.x
    @trxerz I did it a couple months ago, so I can't really remember where I found the info.
    But here's what I have in yum-cron-hourly.conf and yum-cron.conf:
    Code (Text):
    ...
    [base]
    # This section overrides yum.conf
    exclude = ImageMagick*
    ...

    I'm not really sure what [...] does in the config file. But to be safe, just add it after [base], I suppose.

    FYI, I've set yum-cron.conf not to download or apply updates and yum-cron-hourly.conf to always download and apply "default" updates (as opposed to its default, "security" updates only). So it should check updates every hour, but so far there's no issue with policy.xml.
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Word from Wordpress ImageMagick Vulnerability Information – Make WordPress Core

     
  14. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Follow up by Sucuri Analyzing ImageTragick Exploits in the Wild - Sucuri Blog

     
  15. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    7:22 PM
    1.9.x
    10.1.x
    For IPS users like me, Invision released a security fix, that even if someone have a vulnerable ImageMagick version, it will not be exploitable.

     
  16. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. Oxide

    Oxide Active Member

    534
    29
    28
    Mar 19, 2015
    Ratings:
    +59
    Local Time:
    5:22 AM
    I ran yum update and there was a new openssl/libre i think.

    Code:
    imagick
    
    imagick module => enabled
    imagick module version => 3.4.2
    imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator, ImagickKernel
    Imagick compiled with ImageMagick version => ImageMagick 6.9.3-10 Q16 x86_64 2016-05-04 http://www.imagemagick.org
    Imagick using ImageMagick library version => ImageMagick 6.9.3-10 Q16 x86_64 2016-05-04 http://www.imagemagick.org
    ImageMagick copyright => Copyright (C) 1999-2016 ImageMagick Studio LLC
    ImageMagick release date => 2016-05-04
    ImageMagick number of supported formats:  => 225
    ImageMagick supported formats => 3FR, AAI, AI, ART, ARW, AVI, AVS, BGR, BGRA, BGRO, BIE, BMP, BMP2, BMP3, BRF, CAL, CALS, CANVAS, CAPTION, CIN, CIP, CLIP, CMYK, CMYKA, CR2, CRW, CUR, CUT, DATA, DCM, DCR, DCX, DDS, DFONT, DNG, DOT, DPX, DXT1, DXT5, EPDF, EPI, EPS, EPS2, EPS3, EPSF, EPSI, EPT, EPT2, EPT3, ERF, EXR, FAX, FITS, FRACTAL, FTS, G3, GIF, GIF87, GRADIENT, GRAY, GROUP4, GV, H, HALD, HDR, HISTOGRAM, HRZ, HTM, HTML, ICB, ICO, ICON, IIQ, INFO, INLINE, IPL, ISOBRL, ISOBRL6, JBG, JBIG, JNG, JNX, JPE, JPEG, JPG, JPS, JSON, K25, KDC, LABEL, M2V, M4V, MAC, MAGICK, MAP, MASK, MAT, MATTE, MEF, MIFF, MKV, MNG, MONO, MOV, MP4, MPC, MPEG, MPG, MRW, MSL, MSVG, MTV, MVG, NEF, NRW, NULL, ORF, OTB, OTF, PAL, PALM, PAM, PANGO, PATTERN, PBM, PCD, PCDS, PCL, PCT, PCX, PDB, PDF, PDFA, PEF, PES, PFA, PFB, PFM, PGM, PICON, PICT, PIX, PJPEG, PLASMA, PNG, PNG00, PNG24, PNG32, PNG48, PNG64, PNG8, PNM, PPM, PREVIEW, PS, PS2, PS3, PSB, PSD, PTIF, PWP, RADIAL-GRADIENT, RAF, RAS, RAW, RGB, RGBA, RGBO, RGF, RLA, RLE, RMF, RW2, SCR, SCT, SFW, SGI, SHTML, SIX, SIXEL, SPARSE-COLOR, SR2, SRF, STEGANO, SUN, SVG, SVGZ, TEXT, TGA, THUMBNAIL, TIFF, TIFF64, TILE, TIM, TTC, TTF, TXT, UBRL, UBRL6, UIL, UYVY, VDA, VICAR, VID, VIFF, VIPS, VST, WBMP, WEBP, WMF, WMV, WMZ, WPG, X, X3F, XBM, XC, XCF, XPM, XPS, XV, XWD, YCbCr, YCbCrA, YUV
    
    Directive => Local Value => Master Value
    imagick.locale_fix => 0 => 0
    imagick.skip_version_check => 0 => 0
    imagick.progress_monitor => 0 => 0
    How do I confirm, i am on the safe version?
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    5:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    As expected forum sites are getting attacked via imagemagick vulnerabilities for those without the workaround fix or updated imagemagick 6.9.3.10 versions ImageTragick Exploits Detected in Live Attacks against vBulletin, IP.Board Sites

     
  19. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    7:22 PM
    1.9.x
    10.1.x
    Im curious why they said IPB sites(i think its the only one that took measures against this exploit ) and not Xenforo for example.