(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick [1, 2, 3]. This new vulnerability has been nicknamed ImageTragick and has its own website. Apparently, the vulnerability will be assigned to CVE-2016-3714. It wasnt yet on mitre.orgs CVE site when I wrote this diary.

Johannes Ullrich already discussed this vulnerability in yesterdays ISC StormCast for 2016-05-04, but theres been more press about it. Should ImageTragick get even more coverage? Heck, I" />
Shown above: For a vulnerability logo so new, that wizard looks so old.


Many servers hosting social media sites, blogs, and content management systems (CMS) rely on ImageMagick-based processing so they can resize images uploaded by end users. This has the potential to affect a great deal of servers. How many? The reports weve seen list the number of potential targets in vague terms, using words like large, huge, or countless.

ImageMagick has proposed a configuration solution, but no actual software patch or product update has been announced yet. We might see an official update from ImageMagick this coming weekend [4].

At least one proof of concept (PoC) exploit has already been developed [5]. Many expect to see CVE-20163714 exploits in the wild soon. This provides yet another opportunity for criminal groups to conduct automated scans searching for vulnerable servers world-wide. Such automated scans have been responsible for compromising thousands of websites in recent years running software like Wordpress, Joomla, and many other potentially vulnerable applications.

Meanwhile, social media reveals the same type of mixed reactions we" />
Shown above: Discussion about using ImageTragick as a nickname on Twitter.

Final words

Do you have any comments on this current vulnerability? Has anyone seen CVE-20163714 being exploited in the wild yet? Any thoughts on the use of vulnerability nicknames and logos? If so, feel free to leave a comment.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://www.openwall.com/lists/oss-security/2016/05/03/18
[2] http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/
[3] https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html
[4] http://www.securityweek.com/attackers-exploit-critical-imagemagick-vulnerability
[5] https://twitter.com/Viss/status/727613890020806656

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
We are immersed in a cyber-physical world. Information technology is deeply embedded in traditionally non-IT systems, including automobiles, the electric grid and emergency response. But in many of these systems, security is largely ...

Onapsis Announces Scott Crawford of 451 Ventures as Keynote Speaker for Annual North American Roadshow Series
GlobeNewswire (press release)
Beginning in June, the Onapsis Roadshow Series will span across four major cities to foster collaboration between InfoSec and SAP security industry professionals on SAP cybersecurity best practices. "I'm honored to be selected as Onapsis' keynote ...

and more »
APPLE-SA-2016-05-03-1 Xcode 7.3.1

Onapsis Selected as Finalist for the Cybersecurity Excellence Awards
GlobeNewswire (press release)
Finalists are recognized for their achievements in the cybersecurity startup space and for providing superior security products and services to the information security industry. Finalists and winners are published on the Cybersecurity Excellence ...

and more »

(credit: Sean MacEntee)

Microsoft plans to retire support for TLS certificates signed by the SHA1 hashing algorithm in the next four months, an acceleration brought on by new research showing it was even more prone to cryptographic collisions than previously thought.

The software maker hinted at the expedited deprecation in November. Last week, it made those plans official. Sometime this summer (for those in the Northern Hemisphere, anyway) the general release versions of Microsoft's Edge and Internet Explorer browsers will stop displaying the address bar lock when visiting HTTPS sites protected by SHA1 certificates. The change will occur even sooner for upcoming Windows Insider Preview builds, which are mostly used by developers for testing purposes.

"This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program," officials in the Microsoft Edge Team wrote. "Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers."

Read 3 remaining paragraphs | Comments

Cisco Security Advisory: Cisco FirePOWER System Software Packet Processing Denial of Service Vulnerability
Cisco Security Advisory: Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability
Cisco Security Advisory: Cisco Adaptive Security Appliance with FirePOWER Services Kernel Logging Denial of Service Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS San Antonio InfoSec Training Event to Discuss Lessons Learned from the Ukrainian Power Grid Attack
PR Newswire (press release)
BETHESDA, Md., May 4, 2016 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced the agenda for its San Antonio 2016 InfoSec training event taking place July 18-23. Included on the agenda is a ...

and more »

LockPath Joins Cloud Security Alliance
Marketwired (press release)
As a framework, the CSA CCM provides organizations with the structure, detail and clarity required for tailoring information security to the cloud industry. LockPath will also provide CSA's Consensus Assessments Initiative Questionnaire (CAIQ), which ...

and more »

(credit: Instagram)

A 10-year-old schoolboy from Finland has become the youngest recipient of a £7,000 ($10,000) award under Facebook's bug bounty program, after he found a vulnerability that allowed anyone to delete comments on Instagram simply by planting malicious code into the photo-sharing app.

Jani—who at the tender age of 10 is considered too young to use Facebook by the company's own rules—outshines an unnamed 13-year-old cyber enthusiast, who once held the title of the youngest person to receive a bug bounty reward from the free content ad network.

In fact, the Finnish kid might well be the youngest publicly acknowledged bounty hunter—a title that appeared to have been previously held by Alex Miller from California, who received £2,000 from Mozilla back in 2010 at the age of 12.

Read 6 remaining paragraphs | Comments


SYS-CON Media (press release)

LockPath Joins Cloud Security Alliance
SYS-CON Media (press release)
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to ...

and more »

Payment Data Security | @CloudExpo #BigData #DataCenter #Storage #InfoSec
SYS-CON Media (press release)
The EMV liability shift that began in October 2015 is likely to reduce card present payment card fraud. That's a double-edged sword for retailers with an online presence and those who accept mobile payments, as fraudsters are seeking easier routes to ...

and more »
CVE-2016-2784: CMS Made Simple < 2.1.3 & < 1.12.2 Web server Cache Poisoning
Internet Storm Center Infocon Status