Library has somewhat of an image problem given history of serious bugs
A new tool enables developers to better protect themselves against vulnerabilities in popular file converter ImageMagick, which has suffered from various security holes in the past.
ImageMagick is used by websites to convert files and currently supports the conversion of more than 100 types.
While it has proven to be popular due to the sheer number of conversions it offers, the tool has also been subject to a number of critical security vulnerabilities over the years.
Two years later, Google Project Zero’s Tavis Ormandy published details of how supporting external programs can also leave ImageMagick vulnerable to RCE.
Then in 2020, researcher Alex Inführ found a shell injection vulnerability in ImageMagick, and in 2021 Synacktiv researchers demonstrated how they were able to achieve arbitrary file upload using known flaws in the library.
To protect users against these kinds of bugs, ImageMagick contains a security policy that can be customised by developers.
It’s “very tuneable policy mechanism” has options that adjust all the specific internal thresholds and features that the library can tolerate, Doyensec’s Lorenzo Stella, the tool’s author, told The Daily Swig.
Stella added, however, that the policy can cause confusion as it sometimes contains terms only people familiar with the library can recognize. “On top of that, not all the available options are listed on this page, so the code is often the only real documentation,” he said.
The new tool, called ImageMagick Security Policy Scanner, therefore enables users to evaluate the security policies on offer to determine which is right for them.
In a blog post released this week (January 10), Stella wrote: “Because of the number of available options and the need to explicitly deny all insecure settings, this is usually a manual task, which may not identify subtle bypasses which undermine the strength of a policy.
“It’s also easy to set policies that appear to work, but offer no real security benefit.
“The tool’s checks are based on our research aimed at helping developers to harden their policies and improve the security of their applications, to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.”
CSP Evaluator similarities
The researcher said the tool is similar to Google’s CSP evaluator in that it can immediately identify any security gaps in a policy and is designed to be used by both auditors and developers.
Stella also added a guide that describes how developers can harden it even more in their environments, identify different commands, verify if the policy is enforced, and more.
He added: “It’s important to remember that securing an ImageMagick installation does not stop with setting a secure policy, but should be paired with a number of other defense-in-depth practices.
“To the best of my knowledge, this is the first tool of its kind for ImageMagick,” said Stella, who noted that the security team at ImageMagick added a reference to the tool to their security page.