CVE-2016-3714:
CVE-2016-3714 (ImageTragick) — ImageMagick remote code execution via crafted images containing shell metacharacters; affects 6.9.3-9 and 7.0.0-0, fixed in 6.9.3-10 and 7.0.1-1.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.4High- Published Date:May 5, 2016
- CISA KEV Date:Sep 9, 2024
- Industries Affected:20
3049 DaysThreat Predictions
- EPSS Score:93.8
- EPSS Percentile:100%
Exploitability
- Score:2.5
- Attack Vector:LOCAL
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2016-3714 (ImageTragick) — ImageMagick remote code execution via crafted images containing shell metacharacters; affects 6.9.3-9 and 7.0.0-0, fixed in 6.9.3-10 and 7.0.1-1.
Overview
ImageMagick contains a remote code execution vulnerability (ImageTragick) due to certain coders (EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, PLT) processing shell metacharacters in crafted images. When such an image is handled by vulnerable versions, an attacker can run arbitrary commands on the affected system. The flaw affects 6.9.3-9 and 7.0.0 through 7.0.1-0, with fixes released in 6.9.3-10 and 7.0.1-1. This vulnerability prompted multiple vendor advisories and security discussions, emphasizing the need to upgrade to patched releases and apply mitigations.
Remediation
- Upgrade ImageMagick to the patched releases: 6.9.3-10 or newer for the 6.x line, and 7.0.1-1 or newer for the 7.x line. Apply these upgrades across all affected systems (Red Hat, Debian, Ubuntu, SUSE, etc.).
- If upgrading is not immediately possible:
- Apply vendor advisories and security patches from your OS vendor (e.g., Red Hat, Debian, Ubuntu, SUSE) and follow their containment guidance.
- Run ImageMagick with the least-privilege user account and, where feasible, in isolated containers or sandboxes to limit impact.
- Use policy restrictions to limit or disable dangerous features and coders in ImageMagick’s policy.xml, and restrict processing of untrusted images where possible.
- Validate and sanitize all image inputs in applications, and monitor for indicators of exploitation (unusual processes, logs, or spikes in resource usage).
- After applying fixes or mitigations, test in a staging environment to confirm normal image processing behavior and verify that the vulnerability is no longer exploitable.
References
- - https://access.redhat.com/security/vulnerabilities/2296071
- - http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog
- - http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html
- - http://www.securitytracker.com/id/1035742
- - https://imagetragick.com/
- - http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- - https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
- - http://www.openwall.com/lists/oss-security/2016/05/03/13
- - http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html
- - http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html
- - http://www.ubuntu.com/usn/USN-2990-1
- - http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html
- - http://www.securityfocus.com/archive/1/538378/100/0/threaded
- - https://www.exploit-db.com/exploits/39767/
- - http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html
- - http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- - http://www.openwall.com/lists/oss-security/2016/05/03/18
- - http://www.debian.org/security/2016/dsa-3580
- - https://security.gentoo.org/glsa/201611-21
- - http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html
- - http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568
- - https://www.imagemagick.org/script/changelog.php
- - https://www.exploit-db.com/exploits/39791/
- - http://www.debian.org/security/2016/dsa-3746
- - http://www.securityfocus.com/bid/89848
- - http://rhn.redhat.com/errata/RHSA-2016-0726.html
- - https://bugzilla.redhat.com/show_bug.cgi?id=1332492
- - https://www.kb.cert.org/vuls/id/250519
- - http://packetstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.html
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 28, 2016
- CISA KEV Date:Sep 9, 2024
- Days Early:3049 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
