-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
cPanel Security Team - CVE-2016-3714 ImageMagick
Background Information
On Tuesday, May 3 2016, ImageMagick announced a vulnerability in all versions of the ImageMagick software. ImageMagick is a software
package commonly used by web services to process images.
Impact
One of the reported vulnerabilities can potentially be exploited for remote code execution (RCE).
Releases
ImageMagick has not released a fix, but plans to publish a new version of ImageMagic with the fixes soon. cPanel normally releases all builds at once in order to limit the ability to reverse engineer fixes. However, this vulnerability is already wildly known and we have seen reports of its use. In this instance, we plan to release builds as soon as they become available.
At this time the following builds are available:
11.56 11.56.0.13
EDGE 11.55.9999.193
CURRENT 11.56.0.13
RELEASE 11.56.0.13
How to determine if your server is up to date
The updated RPMs provided by cPanel will contain a changelog entry with a CVE number. To view this changelog entry run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714
The output should resemble below:
- - - Apply workaround for CVE-2016-3714
What to do if you are not up to date
If your server is not running one of the above versions, update immediately.
To upgrade your server, navigate to WHM's Upgrade to Latest Version interface (Home >> cPanel >> Upgrade to Latest Version) and click 'Click to Upgrade'.
To upgrade cPanel from the command line run the following commands:
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list
To verify the new cpanel-ImageMagick RPM was installed run the following command:
rpm -q --changelog cpanel-ImageMagick | grep CVE-2016-3714
The output should resemble the following:
- - - Apply workaround for CVE-2016-3714
Manual mitigation
We will publish builds for 11.54, 11.52 and 11.50 as soon as they become available. For 11.54, 11.52, and 11.50, you can manually mitigate this vulnerability with the following instructions.
Open the following file:
/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml
Update the file to match the policy example below to disable the EPHEMERAL, URL, HTTPS, MVG, and MSL coders:
How to mitigate the vulnerability for other ImageMagick installations
If you have a local installation of ImageMagick, we recommend that you use a policy file to disable the vulnerable ImageMagick coders. We will attempt use the WHM Autofixer to update the policy.xml file. The global policy for ImageMagick is usually found in the /etc/ImageMagick/policy.xml file. The following policy.xml example disables the coders EPHEMERAL, URL, HTTPS, MVG, and MSL:
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714
Disclosure: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCgAGBQJXKgHoAAoJEJUhvtyr2U3fccgP/3/zMlwsKDxaC2IjhYRhcJKJ
0reKxIngsDBs6sWcEm30spT4RYXk+wX0A3OmhGCZcNP7pjHoIMQlXswaGazJON/p
GidlTmtyS0ypfolF8+gh8Rl3wy561ylG54+91/yN0RXH6KC3Eal+JBh5pCQ6y7aX
O0H8u4U0EsuhazMFD80PyCCORlc1teKAAQciQ28FitJO8jo7JuGCnMsfUB4hAaUU
WHbScNyw5WtocTxQK8k8bZoYRMI6Tqyou9eeNg4HsVB/W4cgEDXi7kdGYBX7hV/v
Zv9jOAYMr+B1qlwQtUTE+Lvg0ITX7t+bdZPyeAYolIsxFLroa2mJt3MwQhTtQhmr
OfbcYNw5bJZQt0cry5d0ZS68QHyg1yJzJ2LXQstzTB8eYkHN+Y38uJXWNmmQqzop
w/f+lxqxVSGedCdodQ7CyTPT4MDWXGA4056qvX0aPMzY0diPs4MeToXFhSq3xA/H
ohKlcIYxwXwwkMGMBpaNi4GYvWYT3X4/KNhcXV+bfradAWL7+6grOQHGlyhEbqWz
EY5uQXDpfHt7i8Wwg9DaV710cjzS6KnC1oi/aXG9P6z9hQf86t2oPFyQosxww+9W
43HJ7Quhup0U0kfia+X2cu2O61TFti15C8/z409so8xPxKHiExg+LDUD2sVFJVE2
hlfPSELDZtpojHcfcI4d
=UCdo
-----END PGP SIGNATURE-----