Two security vulnerabilities in the popular open-source image manipulation program Imagemagick have been exposed by researchers at Metabase Q. The vulnerabilities are currently tracked as CVE-2022-44268 and CVE-2022-44267 and could cause a data breach or trigger a DoS condition if exploited. The vulnerabilities affect version 7.10-49 of the program and have been fixed in version 7.1.0-52 released in November 2022.
CVE-2022-44267 is a DoS issue that gets triggered when the software parses a PNG image containing a single dash (-) in the filename. When parsing such an image, the conversion process could be left waiting for a stdin input that can cause a DoS condition — a state where the process can’t process any other images.
To remotely exploit this bug, an attacker can upload a malicious PNG with a text chunk that’d add a single dash in the name to any site using Imagemagick. The site would then parse the image and Imagemagick would interpret the text string as the filename, loading the content as a raw profile. If this text string contains a single dash, the program would then try to read content from the standard input streaming potentially leaving the conversion process waiting infinitely.
The second vulnerability, CVE-2022-44268 is an information disclosure flaw that lets a threat actor read arbitrary files from a server when parsing an image. This also happens when the program is parsing a PNG image. If Imagemagick has permission to read other arbitrary files, the resulting image after the parsing process could have been embedded with contents from another file on the machine.
Vulnerabilities in popular open-source programs should be taken seriously as these are often largely used by people around the world looking to save subscription costs. Open-source programs should also be used with caution as they’re easy targets for threat actors who can look at the source code and figure out weaknesses to exploit.
In the News: OpenAI announces ChatGPT Plus starting at $20/month
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.
You can contact him here: [email protected]