ImageMagick Vulnerabilities Could Allow DoS, Information Leak

Researchers found two security vulnerabilities in the ImageMagick tool that could trigger denial of service attacks or leak data. The vendors patched the bugs in time, preventing any active exploitation. Users must ensure updating to the latest patched releases to avoid any mishap.

Multiple Vulnerabilities Spotted In ImageMagick Tool

According to a recent post from the cybersecurity firm Metabase Q, their researchers found two security issues in the ImageMagick graphics tool.

ImageMagick is an open-source software for image conversion, designing, and editing. Given its free availability and support for a large number of file formats (200+), ImageMagick is a popular tool among graphic designers and web developers, particularly those dealing with open-source apps.

Specifically, the researchers found the following two vulnerabilities affecting ImageMagick.

  • CVE-2022-44267: a denial-of-service (DoS) vulnerability that affected the image conversion feature when parsing PNG files. According to the researchers, parsing .png files could “leave the convert process waiting for stdin input.”
  • CVE-2022-44268: an information disclosure vulnerability that could leak data from arbitrary remote files when parsing PNG images in the resulting image.

Exploiting both vulnerabilities simply required an attacker to upload a malicious PNG image file to the target website using ImageMagick. The researchers have shared a detailed technical analysis of both vulnerabilities in their post.

Vendors Patched The Flaws

Metabase Q’s Ocelot team discovered these images when analyzing the then-latest version of ImageMagick 7.1.0-49. Following this discovery, they promptly reported the matter to ImageMagick developers.

Consequently, the app developers worked on fixing the vulnerabilities, ultimately releasing the patches with the subsequent app release.

Their site now lists the ImageMagick 7.1.0-60 version as the latest release. Hence, to ensure receiving all the feature updates and bug fixes, users must update their websites and systems with this release at the earliest.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients