CVE-2016-3714
Published: 05 May 2016
Summary
CVE-2016-3714 is a high-severity Improper Input Validation (CWE-20) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability tracked as CVE-2016-3714, also known as ImageTragick, is an input validation flaw (CWE-20) present in multiple coders within ImageMagick versions prior to 6.9.3-10 and 7.x prior to 7.0.1-1. Specifically, the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders fail to sanitize shell metacharacters when processing image files, enabling arbitrary command execution.
Remote attackers can exploit the issue by supplying a specially crafted image that triggers one of the affected coders during processing. Successful exploitation grants the ability to execute arbitrary code on the target system with the privileges of the ImageMagick process, corresponding to a CVSS 3.1 base score of 8.4.
Advisories and patches referenced in the ImageMagick ChangeLog and multiple OpenSUSE security announcements address the flaw through updated packages that restrict or sanitize the vulnerable coders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4735
Vulnerability details
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted…
more
image, aka "ImageTragick."
- CWE(s)
- KEV Date Added
- 09 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted image input to block shell metacharacters in the affected coders.
Enforces disabling or restricting the vulnerable EPHEMERAL/HTTPS/MVG/etc. coders so they cannot be invoked on crafted images.
Mandates timely application of patches that sanitize or remove the flawed coders in ImageMagick < 6.9.3-10 / 7.0.1-1.