ImageMagicK Vulnerability - CVE-2016–3714

Avatar
Milind Deshmukh
Follow

Applies To

Zend Server

PHP ImagicK extension

GNU / Linux

 

Summary

One of the vulnerabilities CVE-2016–3714 of ImageMagicK can lead to remote code execution (RCE) and ability to render files on the local system. This vulnerability and it's mitigation was published on ImageMagicK forum. For more information, please refer to - ImageMagicK vulnerability -  CVE-2016–3714.

 

Solution

ImageMagicK is not enabled by default, so the vulnerability does not affect Zend Server users out of the box. In case you have ImageMagicK enabled in your Zend Server's PHP, you can use the following procedure to check the vulnerability, and use the provided patch in case it is found, to protect your servers.

Checking whether your server is vulnerable

1. Deploy the attached exploit.zpk to a sub-directory of your Web Server's document root, for example, http://localhost/exploit_test, using the Zend Server Deployment wizard.

2. Then browse the file image.php in the application, for example, http://localhost/exploit_test/image.php.

3. If you see a message in red - "Your server appears to be vulnerable..." - then this means that your server is vulnerable to ImageMagicK Vulnerability - CVE-2016–3714.

Mitigating the vulnerability

Based on the mitigation provided on the ImageMagicK forum, we have created a patch. To apply the patch, follow the steps given below:

(in the commands given below, replace /PATH/TO/ with the actual absolute path of the file)

Zend Server 8.5.3 and earlier versions

1. Download the patch file config.diff.gz on your server (file attached to this article).
2. Execute the following commands in the terminal as 'root' or using 'sudo':

# cd /usr/local/zend/lib/ImageMagick-6.5.7/config
# cp policy.xml policy.xml_BAK
# gunzip /PATH/TO/config.diff.gz
# cat /PATH/TO/config.diff |patch -p1
# /usr/local/zend/bin/zendctl.sh restart

Note: If the "patch" command doesn't work,  you may need to install it on your server - on RPM based Operating System, execute "yum install patch" and on DEB based Operating System, execute "apt-get install patch".

Zend Server 9

1. Download the patched policy.xml file on your server (file attached to this article).
2. Execute the following commands in the terminal as 'root' or using 'sudo':

# cp /PATH/TO/policy.xml /usr/local/zend/lib/ImageMagick-6.7.7/config
# /usr/local/zend/bin/zendctl.sh restart

Verifying the patch

1. Refresh the exploit test application's page image.php in the browser.

2. If you receive the message "Your server appears to be OK!", then this means that the patch is successfully applied and your server is no longer vulnerable to ImageMagicK vulnerability CVE-2016–3714.

Note

Our developers are aware of this vulnerability and we will include this mitigation in Zend Server 8.5.4 and 9.0.1. 

Comments