Source: security-advisories@github.com
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick, a widely used image processing software, is vulnerable to a use-after-free condition. This vulnerability, triggered by a crafted image file containing an invalid <map> element, allows attackers to potentially execute arbitrary code on vulnerable systems. Exploitation can lead to system compromise and data breaches.
Step 1: Payload Delivery: An attacker crafts a malicious image file (e.g., PNG, JPEG) containing an embedded MSL script. This script includes a malformed <map> element designed to trigger the vulnerability.
Step 2: Image Processing: A user or application opens or processes the malicious image file using a vulnerable version of ImageMagick.
Step 3: MSL Interpretation: ImageMagick's MSL interpreter parses the embedded script.
Step 4: Vulnerability Trigger: The interpreter encounters the invalid <map> element. Due to the memory management flaw, it attempts to access a freed image object.
Step 5: Code Execution (Potential): If the attacker has crafted the malicious image file carefully, this use-after-free condition can be leveraged to overwrite memory with attacker-controlled data, leading to arbitrary code execution. This is highly dependent on memory layout and the attacker's ability to control the freed memory region.
Step 6: System Compromise: Successful exploitation allows the attacker to execute arbitrary code, potentially leading to complete system compromise, data theft, or other malicious activities.
The vulnerability lies within the MSL (Magick Scripting Language) interpreter of ImageMagick. Specifically, the flaw occurs when processing a malformed <map> element within an MSL script embedded in an image file. The interpreter incorrectly handles memory management, leading to a use-after-free condition. When the interpreter encounters an invalid <map> element, it attempts to access an image object after it has already been freed from memory. This can lead to a crash, or, more critically, allow an attacker to overwrite memory with malicious code. The root cause is a lack of proper bounds checking and memory management within the MSL interpreter's handling of image objects and the <map> element. The patch addresses this by ensuring the image object is not accessed after being freed.
While no specific APTs are directly linked to this CVE at this time, the widespread use of ImageMagick makes it an attractive target for various threat actors. Given the potential for remote code execution, this vulnerability could be exploited by any group seeking to gain initial access or escalate privileges. CISA KEV status: Not Listed.
Monitor file system activity for the creation or modification of image files, especially those from untrusted sources.
Analyze network traffic for unusual patterns, such as large image uploads or downloads, or unusual connections to image processing servers.
Implement file integrity monitoring to detect changes to ImageMagick binaries or related configuration files.
Examine system logs for crashes or errors related to ImageMagick, particularly those involving MSL processing.
Use a host-based intrusion detection system (HIDS) to monitor for suspicious process behavior related to ImageMagick, such as unexpected network connections or file system modifications.
Analyze image files for embedded MSL scripts and unusual or malformed elements, especially the <map> element.
Upgrade to ImageMagick versions 7.1.2-15 or 6.9.13-40 or later.
If upgrading is not immediately possible, disable MSL processing by setting policy.xml to disallow the MSL coder: <policy domain="coder" rights="none" pattern="MSL"/>.
Implement input validation to restrict the types and sizes of image files that are processed.
Use a web application firewall (WAF) to filter malicious requests that may attempt to exploit the vulnerability.
Regularly update ImageMagick and other software to the latest versions.
Implement a defense-in-depth strategy, including network segmentation and intrusion detection/prevention systems.