Vulnerability DatabaseCVE-2023-34152

CVE-2023-34152:
ImageMagick vulnerability analysis and mitigation

Overview

A remote code execution vulnerability (CVE-2023-34152) was discovered in ImageMagick's OpenBlob functionality when configured with --enable-pipes option. The vulnerability was reported on May 17, 2023, affecting ImageMagick versions up to (excluding) 7.1.1.11. This security flaw allows for shell command injection through malformed file names when the application is specifically configured with the --enable-pipes option (GitHub Issue).

Technical details

The vulnerability stems from an incomplete fix to CVE-2016-5118, where the SanitizeString function was added to filter malicious input before popen_utf8 execution. However, while SanitizeString filters out single quotes, it fails to properly sanitize backticks (`) and double quotes ("), allowing for shell command injection through specially crafted filenames. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

When exploited, this vulnerability could allow attackers to execute arbitrary commands on the system where ImageMagick is installed with the --enable-pipes configuration. This could lead to complete system compromise, including unauthorized access to sensitive data, system modification, and potential service disruption (Red Hat CVE).

Mitigation and workarounds

The primary mitigation is to avoid using the --enable-pipes configuration option, as it is considered a security risk by design. For systems requiring updates, ImageMagick version 7.1.1.11 and later contain fixes for this vulnerability. Additionally, Ubuntu and other distributions have noted that this vulnerability is not exploitable in their default configurations as the --enable-pipes option is not enabled by default (Ubuntu Security).

Community reactions

The security community has generally classified this as a significant vulnerability due to its high CVSS score, though its impact is limited by the requirement of a specific configuration option. Multiple Linux distributions, including Fedora and Red Hat, have issued security advisories and updates to address this vulnerability (Fedora Update).

Additional resources

Source: This report was generated using AI

9.8

Score

Published May 30, 2023

Severity CRITICAL

CNA Score 9.8

Affected Technologies

ImageMagick
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 98.8

Exploitation Probability (EPSS) 74.5

Affected packages and libraries

imagemagick
ImageMagick-c++

Sources

Alpine Security Tracker
- Alpine 3.10, 3.13, 3.14, 3.15, 3.16, 3.17 Severity CRITICALNo FixAdded at: Dec 03, 2023
- Alpine 3.18, edge Severity CRITICALNo FixAdded at: Dec 04, 2024
Debian Security Tracker
- Debian 11, 12 Severity LOWNo FixAdded at: May 30, 2023
- Debian 13 Severity LOWNo FixAdded at: Jun 11, 2023
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity CRITICALHas FixAdded at: Oct 10, 2023
Photon Security Advisory
- Photon 3.0 Severity CRITICALHas FixAdded at: Jun 15, 2023
- Photon 4.0 Severity CRITICALHas FixAdded at: Jun 13, 2023
- Photon 5.0 Severity CRITICALHas FixAdded at: Jun 11, 2023
NVD
- Linux Severity CRITICALHas FixAdded at: Jun 10, 2023
- Windows Severity CRITICALHas FixAdded at: Jun 01, 2023