07 May 2016

Agility with an Adversarial Approach – Deciphering the ImageMagick Vulnerability


A newly discovered vulnerability within the ImageMagick library has put millions of web servers at grave risk for exploitation by attackers. This includes social media websites, forums, hosting platforms, and a plethora of web applications that allow image uploads and could become easy targets for attackers. Prior to the ImageMagick vulnerability exploit being publicly available, Synack reported this vulnerability to one of its clients, demonstrated its exploitability and helped them triage and patch the vulnerability. In cases such as these, continuous penetration testing with an adversarial mindset is instrumental in agile discovery and remediation of new vulnerabilities.

What is ImageMagick?
ImageMagick is a commonly used open source software library used to edit images in a variety of formats, as well as apply advanced image processing filters. Since ImageMagicK offers interfaces for popular programming languages such as Ruby, Perl, Python, PHP, etc., image upload tools on websites use ImageMagick to apply filters and transform uploaded images into desired formats.

What kind of vulnerability was discovered within ImageMagick?
Recently Nikolay Ermishkin and ‘Stewie’ discovered several vulnerabilities in ImageMagick that allow an attacker to trigger arbitrary code on a server, better known as remote code execution(RCE) exploits. These vulnerabilities stem from ImageMagick library not sanitizing filenames on image uploads, thereby allowing an attacker to run a remote command by uploading a malformed image. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714)

Why is this urgent?
Attackers can leverage this vulnerability for remote code execution on web servers with image upload apps that use ImageMagick library. By uploading a malformed image to web servers that leverage ImageMagick, attackers can run remote commands and gain control of these web servers.

How has Synack helped one of its customers?
Researchers on the Synack Red Team (SRT) went to work as soon as word started to spread about the ImageMagick vulnerability. With minimal information of the vulnerability and time of the essence, the SRT set out to inspect all of Synack’s customers. Their goal was to not just find the ImageMagick vulnerability, but more importantly, to quickly identify any potential exploitability. Before the exploit code was publicly available, a researcher found this vulnerability on a Synack customer. For this customer, the researcher determined the exploitability of this vulnerability and immediately submitted a report containing detailed reproduction steps and a recommended fix. Synack Mission Ops triaged the vulnerability in under one hour; within a few hours, the customer patched the vulnerability and the researcher subsequently verified the patch. Thanks to the responsiveness of the SRT and Synack Mission Ops throughout the vulnerability lifecycle, the client was able to patch the ImageMagick vulnerability before most other security organizations were even aware of the problem.

How can organizations implement agile vulnerability discovery?
Both the time spent to discover a newly published vulnerability, as well as the time to fix the vulnerability are critical when dealing with highly exploitable vulnerabilities. It’s critical that Security Ops teams also understand and prioritize new vulnerabilities based on how exploitable those vulnerabilities are, and move through the process of mitigation and remediation with lightning speed. Relying solely on automated scanners to uncover newly published vulnerabilities doesn’t alleviate the problem since scanners can only leverage known signatures. Even if the latest signatures are present, scanners can merely indicate that you are potentially vulnerable, but can’t provide any information about actual exploitability. An adversarial approach that utilizes the world’s best hacking talent and pairs them with technology should form the underpinnings of your penetration testing program. By continuously monitoring your applications and infrastructure for exploitable vulnerabilities, this approach can help security ops teams stay ahead of the game, while minimizing risk for the organization.

SynackA global army of ethical hackers who want to be your allies, not your adversaries. Expertly managed. Enterprise Trusted. Learn More.