<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">After I saw that yesterday I looked into it a bit.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ImageMagick's site that has the mitigation is:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588">https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That says to update /etc/ImageMagick/policy.xml to add the following lines:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> <policy domain="coder" rights="none" pattern="EPHEMERAL" /><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> <policy domain="coder" rights="none" pattern="HTTPS" /><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> <policy domain="coder" rights="none" pattern="MVG" /><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> <policy domain="coder" rights="none" pattern="MSL" /><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I did that on a RHEL7 system then ran the "convert -list policy" to verify it shows those in policy.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There was another link that had a way to test:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="http://serverfault.com/questions/774808/how-to-verify-installation-of-%20imagemagick-is-not-vulnerable-to-cve-2016-3714">http://serverfault.com/questions/774808/how-to-verify-installation-of-
imagemagick-is-not-vulnerable-to-cve-2016-3714</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That had a response that said:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Karim Valiev posted information to the oss-security mailing list, showing how to check the local install of ImageMagick to see if it is vulnerable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">a) Create a file called exploit.mvg with the following contents:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> push graphic-context<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> viewbox 0 0 640 480<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> fill 'url(https://example.com/image.jpg"|ls "-la)'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> pop graphic-context<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">b) Then run the convert utility:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> $ convert exploit.mvg out.png<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">c) If you see a local directory listing, your installation of ImageMagick<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> is not sufficiently protected.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I created that file on atlema03 and ran with and without the updated policy.xml to verify it did the listing without the update but did not with the update.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I went to RedHat's site and they have a link on main access.redhat.com about this:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="https://access.redhat.com/security/vulnerabilities/2296071">https://access.redhat.com/security/vulnerabilities/2296071</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Title: ImageMagick Filtering Vulnerability - CVE-2016-3714<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">They provide a check script but all it is really doing is to see if you're running a vulnerable version and all versions are vulnerable since no Errata had
been issued yet.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I found that neither RHEL5 nor RHEL6 has /etc/ImageMagick. Instead they appear to rely on /usr/lib64/ImageMagick/config (or X86_64, just /usr/lib/.. if i386).
The policy.xml exists in that directory on RHEL6 modifying there solves the issue. However there is no policy.xml on RHEL5 and adding it manually doesn’t help even though RHEL5 does have the issue so it isn’t clear how one would fix it on RHEL5 (except by
getting a newer upstream version). Hopefully RedHat is working on updates.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Of course this would all be true for CentOS and other distros based on RHEL.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Jeffrey C. Lightner</span></i><i><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Sr. UNIX/Linux Administrator</span></i><i><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">DS Services of America, Inc.</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">2300 Windy Ridge Pkwy</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Suite
<i>600 N</i></span><span style="font-size:11.0pt;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Atlanta, GA 30339-8461</span><span lang="PT" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">P:
<i>678-486-3516<o:p></o:p></i></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">C:
<i>678-772-0018</i></span><span lang="PT" style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">F:
<i>678-460-3603</i></span><span lang="PT" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="PT" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">E:
<i>jlightner@dsservices.com</i><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b>On Behalf Of </b>Jim Kinney<br>
<b>Sent:</b> Wednesday, May 04, 2016 2:15 PM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] Imagemagick exploit<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Nice! Easy! <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Wed, 2016-05-04 at 11:30 -0400, Boris Borisov wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><a href="http://www.theregister.co.uk/2016/05/04/imagemagick_exploits_in_the_wild/">http://www.theregister.co.uk/2016/05/04/imagemagick_exploits_in_the_wild/</a><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Ale mailing list<o:p></o:p></pre>
<pre><a href="mailto:Ale@ale.org">Ale@ale.org</a><o:p></o:p></pre>
<pre><a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><o:p></o:p></pre>
<pre>See JOBS, ANNOUNCE and SCHOOLS lists at<o:p></o:p></pre>
<pre><a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></pre>
</blockquote>
<div>
<pre>-- <o:p></o:p></pre>
<pre>James P. Kinney III<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Every time you stop a school, you will have to build a jail. What you<o:p></o:p></pre>
<pre>gain at one end you lose at the other. It's like feeding a dog on his<o:p></o:p></pre>
<pre>own tail. It won't fatten the dog.<o:p></o:p></pre>
<pre>- Speech 11/23/1900 Mark Twain<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://heretothereideas.blogspot.com/">http://heretothereideas.blogspot.com/</a><o:p></o:p></pre>
</div>
</div>
</body>
</html>