Several ImageMagick Vulnerabilities Addressed in Ubuntu

Rohan Timalsina

March 27, 2024 - TuxCare expert team

ImageMagick, a popular image manipulation program and library, has been exposed to several vulnerabilities that could leave your system vulnerable to denial-of-service (DoS) attacks. In response, the Ubuntu security team has promptly released security updates to address these issues across various Ubuntu releases. Let’s delve into the details of these vulnerabilities and their mitigation measures.

Affected Ubuntu Releases

The vulnerabilities impact several Ubuntu releases, including:

ImageMagick Vulnerabilities Overview

Memory Handling Vulnerabilities (CVE-2022-28463, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547)

These vulnerabilities involve ImageMagick incorrectly handling memory under certain circumstances. If a user is lured into opening a specially crafted image file, attackers could exploit these flaws to trigger a denial of service or other unspecified impacts. Notably, this issue only affects Ubuntu 20.04 LTS.

Memory Handling Vulnerabilities (CVE-2021-3610, CVE-2023-1906, CVE-2023-3428)

Similar to the previous vulnerabilities, these stem from ImageMagick’s mishandling of memory. Opening a specifically crafted image file could lead to denial of service or other impacts. This issue affects Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04.

SVG Processing Vulnerability (CVE-2023-1289)

This vulnerability arises from ImageMagick incorrectly handling certain values when processing SVG files. By tricking a user into opening a specially crafted SVG file, attackers can crash the application, causing a denial of service. This issue affects Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04.

Memory Handling Vulnerability (CVE-2023-3195)

ImageMagick’s improper memory handling under specific circumstances, especially when dealing with TIFF files, poses a risk. Opening a crafted TIFF file could lead to a denial of service or other unspecified impacts. This vulnerability affects Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04.

General Image File Vulnerability (CVE-2023-34151)

Lastly, another memory handling issue in ImageMagick could be exploited if a user opens a manipulated image file. This could result in a denial of service or other unspecified impacts. This vulnerability affects all Ubuntu versions mentioned earlier.

More vulnerabilities have been fixed in this security update, which you can find on the Ubuntu Security Notice.

Staying Secure: Essential Measures

Thankfully, the Ubuntu security team has provided security patches that fix these issues. Here’s what you should do to ensure your system is protected:

Update Ubuntu: To install the security patches and upgrade your system, run the following command in your terminal:

sudo apt update && sudo apt upgrade

Exercise Caution: Avoid opening untrusted image files, especially if it is from unknown sources.

Extended Security Support: As Ubuntu 16.04 and 18.04 have reached end of life, they no longer receive security updates without an Ubuntu Pro subscription. Alternatively, TuxCare’s Extended Lifecycle Support offers affordable security solutions, providing vendor-grade patches for five years after end of life. The ELS pricing is low as $42.50 per year or $4.25 per month for each system.

Conclusion

Given the severity of these vulnerabilities, users are strongly advised to update their systems with the latest security patches provided by Ubuntu. Additionally, exercising caution when handling image files from untrusted sources can mitigate the risk of exploitation. By staying informed and proactive, users can help safeguard their systems against potential threats posed by ImageMagick vulnerabilities.

Source: USN-6200-1

Summary