Snyk ブログ

Mitigating ImageMagick vulnerabilities in Node.js

著者:
Guy Podjarny
Guy Podjarny

May 6, 2016

0 分で読めます

Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe which disables the vulnerable features, protecting against the known exploits.

TL; DR

ImageMagick is an extremely popular library and binary for manipulating images. Amongst other uses, it’s often used to process user generated content, such as avatar images, product photos or displaying images in social channels.

Earlier this week, multiple severe and easily exploited vulnerabilities in ImageMagick were disclosed. There is no official fix yet, but it can be mitigated by disabling certain features.

In Node.js, ImageMagick is primarily invoked through the imagemagick npm package. This package has not been updated in over 2 years, and so is unlikely to help address this issue.

To help protect Node.js ImageMagick users, we released a dedicated npm package called imagemagick-safe, which disables the vulnerable features. We also submitted a pull request with this change to the imagemagick package GitHub repo, but given the repo’s inactivity we think it’s unlikely it’ll be pulled in.

ImageTragick - background

The disclosed vulnerabilities are especially noteworthy for three reasons:

  1. Some of the vulnerabilities are extremely severe, allowing attackers to execute commands on the server, expose server files and more.

  2. The vulnerabilities trivial to exploit, requiring no more than a purpose-built image file and a single HTTP request.

  3. There is still no official fix available.

  4. The vulnerabilities are known to be exploited in the wild.

The whole incident is being referred to as ImageTragick, and you can find more detail about the vulnerabilities on its dedicated website, imagetragick.com.

Cause & mitigation

From what is currently known, the vulnerabilities are all related to the processing of specific image file types and keywords, such as MVG, URL and HTTPS. The file types support an internal action (e.g. include another image) and the processing of these actions is not sufficiently sanitized, enabling remote command execution. Here’s an example of an exploit, copied from the official vulnerability website:

Sample exploit.svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";> 
<svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink= "http://www.w3.org/1999/xlink";> 
<image xlink:href="https://example.com/image.jpg"|ls "-la" 
x="0" y="0" height="640px" width="480px"/>

Sample execution

$ convert exploit.mvg out.png
total 32
drwxr-xr-x 6 user group 204 Apr 29 23:08 .
drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..

The way to disable support for these formats and keywords is by editing ImageMagick’s (optional) policy.xml configuration file, ensuring it includes the content below. Doing so will actually remove some functionality, but will also address the vulnerabilities. Note that editing the policy is not guaranteed to address all possible exploits, but the vulnerability researchers claim it blocks all those currently known to them.

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" /> 
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

imagemagick-safe npm package

Given that the primary imagemagick package is not active, we created a new package called imagemagick-safe.

This package forces the use of the above policy, disabling features but removing vulnerabilities in the process. We recommend you use it until new ImageMagick binaries are released, and you’ve confirmed your systems are upgraded.

Note you can also use ImageMagick via the gm package, we’re looking at submitting a pull request there too.

If you find issues or otherwise have feedback about this package, please let us know at support@snyk.io.

脆弱性の自動検出および修正

Snyk は、コード、依存関係、コンテナ、およびクラウドインフラのワンクリック修正 PR と対策アドバイスを提供します。

今すぐ見る

カテゴリー:脆弱性インサイト

CI/CDパイプラインをレベルアップする方法

プロダクションにプッシュする前に、これらの8つのヒントでパイプ内のセキュリティ問題をキャッチする方法を確認してみましょう⭐️

チートシートをみる
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk (スニーク) は、デベロッパーセキュリティプラットフォームです。Snyk は、コードやオープンソースとその依存関係、コンテナや IaC (Infrastructure as a Code) における脆弱性を見つけるだけでなく、優先順位をつけて修正するためのツールです。世界最高峰の脆弱性データベースを基盤に、Snyk の脆弱性に関する専門家としての知見が提供されます。

無料で始める資料請求

製品

Snyk とはSnyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)デベロッパーセキュリティプラットフォームアプリケーションセキュリティソフトウェアサプライチェーンセキュリティAI によって自動で生成されたコードを保護 DeepCode AI料金プラン導入オプション統合IDE プラグインGit セキュリティCI/CD パイプラインのセキュリティSnyk CLISnyk LearnSnyk for JavaScript

リソース

ドキュメントSnyk API ドキュメントAPI ステータス公開済みの脆弱性サポートポータル及びよくある質問ブログセキュリティの基礎知識セキュリティリーダー向けコンテンツ倫理的ハッカーのためのリソース脆弱性データベースSnyk OSS アドバイザーSnyk トップ10動画カスタマーリソース Security Labs

企業情報

Snyk についてお客様事例採用情報イベント官公庁向けセキュリティと信頼性法的条件プライバシーカリフォルニア在住者向け:個人情報保護法 (CCPA)Web サイトの利用規約

お問い合わせ

資料請求お問い合わせサポート新しい脆弱性を報告する

セキュリティ

アプリケーションセキュリティコンテナセキュリティサプライチェーンセキュリティJavaScript セキュリティオープンソースセキュリティAWS セキュリティセキュアな SDLCセキュリティ態勢セキュアコーディング倫理的ハッキングサイバーセキュリティにおける AIコードチェッカーPythonエンタープライズサイバーセキュリティJavaScriptSnyk With GitHubSnyk と VeracodeSnyk と Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon