ImageMagick vulnerability

How Halo can help with the ImageMagick vulnerability

emily gladstone cole / 05.11.16

Last week, a serious vulnerability, CVE-2016-3714, was announced in ImageMagick, software commonly used on websites to manipulate images. The vulnerability was discovered on *NIX-based operating systems. The vulnerability, nicknamed ImageTragick, could potentially allow Remote Code Execution (RCE) if the server processes user-submitted malicious images.  See the NIST vulnerability summary or other external analysis to learn more about this vulnerability and its real-world impact.

By using CloudPassage Halo, you can quickly find out which of your servers have this vulnerability using the Filters feature of the Servers tab in your Halo portal, or using the Halo API.

Using the Halo v2 UI to find vulnerable servers

First, to make sure you have an accurate picture of your environment, you’ll want to run a fresh scan on your servers from the Servers tab within the Environment section. Select all of your servers and click “New -> Scan” from the Actions menu. Your scan should be completed within a few minutes.

imagemagick vulnerability

Once you have run your scans, look at the Filters box at the top of the page.

imagemagick vulnerability

Type package_name=ImageMagick into the Filters box and press Return. You’ll get a list of servers that match the filter you have entered.  In this case, it will be the servers that have this software installed.

imagemagick vulnerability

Now there are 3 servers listed here, instead of the 160 previously shown, since those 3 are the that have the ImageMagick software installed.

For more information about using Filters, please see our documentation.

Using the Halo API to find vulnerable servers

Since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the Servers tab within the Environment section, or run the script that was posted on GitHub to launch new scans across all servers.

Once your scans have completed, make this simple call:

GET https://api.cloudpassage.com/v1/servers?package_name=ImageMagick

Note: This call will only return active servers by default – to get servers in a different state like “deactivated”, specify the state (/v1/servers?state=deactivated&package_name=ImageMagick)

Your list of servers will be returned in JSON format. If you’d prefer the list of servers in CSV format, simply append .csv to “servers”:

GET https://api.cloudpassage.com/v1/servers.csv?package_name=ImageMagick

For more information about what filters are available for the servers endpoint, please see our API Documentation. If you have used the script on GitHub to find vulnerable CVEs on your servers, you can still use that as well.

Using a custom CSM policy to find vulnerable servers

Patches for this vulnerability are still being released and may not yet be available. However, if you’re using Halo you can still protect yourself. CloudPassage has created a custom CSM policy that you can use to detect vulnerable ImageMagick configurations.  Please consult your Sales Engineer or Customer Success to obtain a copy of the policy to import and apply to your servers.