JPCERT-AT-2016-0021
                                                             JPCERT/CC
                                                   2016-05-06(Initial)
                                                   2016-05-09(Update)

                  <<< JPCERT/CC Alert 2016-05-06 >>>

       Alert Regarding Vulnerability (CVE-2016-3714) in ImageMagick

         https://www.jpcert.or.jp/english/at/2016/at160021.html


I. Overview

  ImageMagick provided by ImageMagick Studio LLC contains a vulnerability
(CVE-2016-3714). When opening contents that leverage this vulnerability in
ImageMagick, an arbitrary OS command may be executed.
  For details on the vulnerability, please refer to the information provided
by ImageMagick Studio LLC.

    ImageMagick Security Issue
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

  Proof-of-Concept code for this vulnerability has been made public. 
JPCERT/CC has tested this code and verified that an arbitrary OS command
can be executed with the privileges of the user running ImageMagick.

  ImageMagick Studio LLC has released updated versions of software that 
address this vulnerability. Users using an affected version of the software
are strongly recommended to update as soon as possible. Also, if ImageMagick 
is being used within a web application, this may also be affected, so it is 
recommended to check if affected and if so, apply the update.


II. Affected Software

  The following product and versions are affected by this vulnerability;

  ImageMagick
    - 6.9.3-9 and earlier versions of 6.x
    - 7.0.1-0 and earlier versions of 7.x

  JPCERT/CC has verified an arbitrary OS command execution in the versions
above using the proof-of-concept code.

  If using a version of ImageMagick provided by a distributor, please refer
to the information provided by the distributor.


III. Solution

  Update ImageMagick to one of the following versions that address the
vulnerability.

  ImageMagick
    - Version 6.9.3-10 for 6.x
    - Version 7.0.1-1 for 7.x

  JPCERT/CC has tested the proof-of-concept code on the above versions and
verified that the vulnerability (CVE-2016-3714) was not exploited.

  Other vulnerabilities (VE-2016-3715, CVE-2016-3716, CVE-2016-3717, 
CVE-2016-3718) also reported in addition to this vulnerability (CVE-2016-3714),
require changing the ImageMagick configuration file (policy.xml) as a 
workaround besides updating the software. For more details, please refer to 
"IV. Workarounds".

** Update: May 9, 2016 Update ******************************************
  ImageMagick Studio LLC has released the latest versions of ImageMagick
on May 5 and 6, 2016(local time). ImageMagick Studio LLC states that these
versions address the vulnerability.

  For more details, please refer to the information provided by ImageMagick 
Studio LLC.

    ImageMagick Studio LLC
    ImageMagick Security Issue
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

  Please consider updating to the following latest versions.

  ImageMagick
    - Version 6.9.4-0 for 6.x
    - Version 7.0.1-2 for 7.x
************************************************************************


IV. Workarounds

  If the update cannot be applied immediately, change the settings to limit
processing, in order to mitigate the effects of the vulnerability. Before
applying this workarounds, carefully consider any side effects.

  - For details on the changes necessary to the ImageMagick configuration file 
    (policy.xml) to limit processing, please refer to the information provided
    by ImageMagick Studio LLC and the distributor. If the configuration file
    (policy.xml) does not exist, disable the functions that process MVG.
  
    ImageMagick Studio LLC
    ImageMagick Security Issue
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

    RedHat,Inc
    ImageMagick Filtering Vulnerability - CVE-2016-3714
    https://access.redhat.com/security/vulnerabilities/2296071


V. References

    ImageMagick Studio LLC
    ImageMagick: Changelog
    https://imagemagick.org/script/changelog.php

    ImageMagick Studio LLC
    ImageMagick/ChangeLog at ImageMagick/ChangeLog at ImageMagick-6
    https://github.com/ImageMagick/ImageMagick/blob/ImageMagick-6/ChangeLog

    US-CERT Current Activity
    ImageMagick Vulnerability
    https://www.us-cert.gov/ncas/current-activity/2016/05/04/ImageMagick-Vulnerability

    Vulnerability Note VU#250519
    ImageMagick does not properly validate input before processing images using a delegate
    https://www.kb.cert.org/vuls/id/250519

    SANS Internet Storm Center
    ImageTragick: Another Vulnerability, Another Nickname
    https://isc.sans.edu/forums/diary/ImageTragick+Another+Vulnerability+Another+Nickname/21023/

** Update: May 9, 2016 Update ******************************************
    JVNVU#92998929
    ImageMagick does not properly validate input before processing images using a delegate (Japanese)
    https://jvn.jp/vu/JVNVU92998929/
************************************************************************


  If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/