Source: security-advisories@github.com
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick, a widely used image processing software, is vulnerable to a critical out-of-bounds read when handling PCD (Photo CD) files. This vulnerability allows attackers to potentially leak sensitive information or cause a denial-of-service (DoS) by crafting malicious image files.
Step 1: Payload Delivery: The attacker crafts a malicious PCD image file containing specially crafted Huffman-coded data. This file is designed to exploit the vulnerability in ImageMagick's Huffman decoding function. Step 2: File Upload/Ingestion: The victim, or a system processing images, uploads or otherwise ingests the malicious PCD file. This could be through a web application, email attachment, or other file transfer mechanisms. Step 3: ImageMagick Processing: ImageMagick is invoked to process the PCD file. This could be triggered automatically by a server-side script, or manually by a user. Step 4: Vulnerability Trigger: The Huffman decoding function is called to process the malicious data within the PCD file. Due to the incorrect initialization, the function attempts to read data from memory locations outside of the allocated buffer. Step 5: Information Leak/DoS: The out-of-bounds read either leaks sensitive information from memory or causes the ImageMagick process to crash, resulting in a denial-of-service.
The vulnerability stems from an incorrect initialization within the Huffman decoding function when processing PCD files. Specifically, the code fails to properly validate the bounds of Huffman-coded data before accessing it. This leads to an out-of-bounds read, allowing an attacker to read arbitrary memory locations. The root cause is a logic error in the initialization of data structures used by the decoder, leading to incorrect offsets and index calculations. This can be triggered by a specially crafted PCD image file containing malicious Huffman-coded data. The lack of proper boundary checks allows the decoder to read beyond the allocated memory, potentially revealing sensitive information or crashing the application.
While no specific APTs or malware are currently known to be actively exploiting this vulnerability, the widespread use of ImageMagick makes it a likely target for future exploitation. CISA KEV status: Not Listed.
Monitor file system activity for the creation or modification of PCD files, especially those originating from untrusted sources.
Analyze network traffic for unusual patterns associated with image processing, such as large PCD file uploads or downloads.
Implement intrusion detection system (IDS) rules to identify attempts to exploit the vulnerability. These rules should focus on detecting malformed PCD files or unusual memory access patterns within ImageMagick processes.
Monitor ImageMagick process behavior for crashes or unexpected resource consumption.
Upgrade to ImageMagick versions 7.1.2-15 or 6.9.13-40 or later. These versions contain the patch that addresses the vulnerability.
If upgrading is not immediately possible, disable PCD file processing in ImageMagick's configuration. This can be done by modifying the policy.xml file to prevent ImageMagick from processing PCD files.
Implement input validation to restrict the types and sizes of image files that can be uploaded or processed.
Regularly update ImageMagick to the latest stable version to address any future vulnerabilities.
Use a Web Application Firewall (WAF) to filter malicious requests that may attempt to exploit the vulnerability.