ImageMagick vulnerability leaves countless sites at risk

ImageMagick, a package usually used by other web services to process images, has multiple vulnerabilities, putting millions of websites at risk, security researchers have warned.

According to Slack security engineer Ryan Huber, one of the vulnerabilities can lead to remote code execution (RCE), if you process submitted images. That basically means your website could be taken over.

In a blog post explaining the vulnerability, Huber says this vulnerability is ‘being used in the wild’.

“A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick,” he says in the blog post.

In case you are using ImageMagick or an affected library, Huber has a couple of recommendations to mitigate known vulnerabilities. You should do at least one of these two things, but he suggests you do both:

  • “Verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them to ImageMagick for processing.
  • Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.”

Usually, these flaws are uncovered only after a fix has been applied, but this time – we’re still waiting for the patch. The reason behind it is that the issue is quite serious, and these flaws are being actively exploited.