CVE-2016-3718
Published: 05 May 2016
Summary
CVE-2016-3718 is a medium-severity SSRF (CWE-918) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and AC-4 (Information Flow Enforcement).
Deeper analysis
The vulnerability is an instance of server-side request forgery (SSRF), tracked as CWE-918, that affects the HTTP and FTP coders in ImageMagick versions prior to 6.9.3-10 and 7.x prior to 7.0.1-1. It is triggered when these coders process a specially crafted image file and carries a CVSS 3.1 base score of 5.5.
An attacker can supply the malicious image to any application or workflow that uses the vulnerable ImageMagick library for decoding. Successful exploitation allows the attacker to induce the ImageMagick process to issue arbitrary HTTP or FTP requests to internal or external resources, potentially bypassing network controls or accessing services reachable from the host running ImageMagick.
The referenced ImageMagick changelog and multiple openSUSE security advisories address the issue by releasing updated packages that disable or restrict the HTTP and FTP coders by default and correct the underlying request-handling logic.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4739
Vulnerability details
The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates by disabling or restricting the HTTP and FTP coders that trigger the SSRF when processing crafted images.
Enforces information flow rules to block the arbitrary outbound HTTP/FTP requests initiated by the vulnerable coders.
Requires validation of image inputs to reject malformed files that embed SSRF payloads before the coders process them.