CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

admin by admin
February 1, 2023
in Information Security


Feb 01, 2023Ravie LakshmananVulnerability

Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure.

The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022.

A brief description of the flaws is as follows –

  • CVE-2022-44267 – A DoS vulnerability that arises when parsing a PNG image with a filename that’s a single dash (“-“)
  • CVE-2022-44268 – An information disclosure vulnerability that could be exploited to read arbitrary files from a server when parsing an image

That said, an attacker must be able to upload a malicious image to a website using ImageMagick so as to weaponize the flaws remotely. The specially crafted image, for its part, can be created by inserting a text chunk that specifies some metadata of the attacker’s choice (e.g., “-” for the filename).

ImageMagick Image Processing
ImageMagick Image Processing

“If the specified filename is ‘-‘ (a single dash), ImageMagick will try to read the content from standard input potentially leaving the process waiting forever,” the researchers said in a report shared with The Hacker News.

In the same manner, if the filename refers to an actual file located in the server (e.g., “/etc/passwd”), an image processing operation carried out on the input could potentially embed the contents of the remote file after it’s complete.

This is not the first time security vulnerabilities have been discovered in ImageMagick. In May 2016, multiple flaws were disclosed in the software, one of which, dubbed ImageTragick, could have been abused to gain remote code execution when processing user-submitted images.

A shell injection vulnerability was subsequently revealed in November 2020, wherein an attacker could insert arbitrary commands when converting encrypted PDFs to images via the “-authenticate” command line parameter.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager

Next Post

Influentialleadership ~ Future of CIO

Related Posts

Information Security

Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

by admin
March 29, 2023
Information Security

How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts

by admin
March 29, 2023
Information Security

Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

by admin
March 28, 2023
Information Security

20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison

by admin
March 27, 2023
Information Security

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers

by admin
March 26, 2023
Next Post

Influentialleadership ~ Future of CIO

Recommended

Innatelogicalfluency ~ Future of CIO

March 30, 2023

Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

March 29, 2023

How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts

March 29, 2023

Influencing ~ Future of CIO

March 29, 2023

Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

March 28, 2023

Illogic ~ Future of CIO

March 28, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.