Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

Share This Post

Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure.

The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022.

A brief description of the flaws is as follows –

CVE-2022-44267 – A DoS vulnerability that arises when parsing a PNG image with a filename that’s a single dash (“-“)
CVE-2022-44268 – An information disclosure vulnerability that could be exploited to read arbitrary files from a server when parsing an image

That said, an attacker must be able to upload a malicious image to a website using ImageMagick so as to weaponize the flaws remotely. The specially crafted image, for its part, can be created by inserting a text chunk that specifies some metadata of the attacker’s choice (e.g., “-” for the filename).

“If the specified filename is ‘-‘ (a single dash), ImageMagick will try to read the content from standard input potentially leaving the process waiting forever,” the researchers said in a report shared with The Hacker News.

In the same manner, if the filename refers to an actual file located in the server (e.g., “/etc/passwd”), an image processing operation carried out on the input could potentially embed the contents of the remote file after it’s complete.

This is not the first time security vulnerabilities have been discovered in ImageMagick. In May 2016, multiple flaws were disclosed in the software, one of which, dubbed ImageTragick, could have been abused to gain remote code execution when processing user-submitted images.

A shell injection vulnerability was subsequently revealed in November 2020, wherein an attacker could insert arbitrary commands when converting encrypted PDFs to images via the “-authenticate” command line parameter.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

The Hacker News

Read More

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .