Security week: 2x High Severity OpenSSL vulnerability & critical ImageMagick flaw

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, May 04, 2016

Follow me on Twitter as @mattiasgeniar

OpenSSL high severity vulnerabilities

The OpenSSL team has revealed the previously announced security vulnerabilities: 2 security issues with severity “high” have been disclosed.

The details were posted to the mailing list.

The first bug is a out-of-bounds memory write, potentially allowing a malicious certificate to write data in memory areas used by other applications.

If an application deserializes untrusted ASN.1 structures containing an ANY field, and later reserializes them, an attacker may be able to trigger an out-of-bounds write.

This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations.

Applications that parse and re-encode X509 certificates are known to be vulnerable.

OpenSSL Security Advisory

The second vulnerability could allow a man-in-the-middle (MITM) decryption of traffic. If you have access in between the server performing TLS encryption and the client connecting to it, this would allow you to decrypt that traffic.

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.

OpenSSL Security Advisory

For both fixes, an openssl update has been released. All packages are available on Linux distributions, so it’s time to update and restart all depending services (or, when in doubt, restart the entire server).

ImageMagick: Remote Code Execution

The second vulnerability this week comes from the ImageMagick application, used widely in web applications for processing images, generating thumbnails, resizing, rotating, … images. ImageMagick is used in both PHP and Ruby applications worldwide.

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick.

ImageTragick.com

If an attacker can upload an image to your webserver (think forum or blog avatars, webshop product photos, blog uploads, …), ImageMagick would parse it and could trigger a remote code execution, offering the attacker a shell or backdoor on your server.

The quickest fix here is to apply an ImageMagick policy file, that prevents the exploitable image formats from being used. Place this in the file /etc/ImageMagick/policy.xml.

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <olicy domain="coder" rights="none" pattern="MSL" />
</policymap>

Update packages for ImageMagick will surely follow soon.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.