Full Report
Introduction: ImageMagick is a hugely popular open source software that is used in lot of systems around the world. It... The post Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829 appeared first on McAfee Blog.
Analysis Summary
# Vulnerability: ImageMagick Heap Out-of-Bounds Read in TIFF Processing (CVE-2020-27829)
## CVE Details
- CVE ID: CVE-2020-27829
- CVSS Score: Information not explicitly provided, but described as a crash involving reading past an allocated heap buffer.
- CWE: CWE-122 (Heap-based Buffer Overflow/Out-of-bounds Read highly likely)
## Affected Systems
- Products: ImageMagick (specifically the `magick` tool)
- Versions: Versions prior to 7.0.46
- Configurations: Processing of TIFF image files.
## Vulnerability Description
The vulnerability is a heap out-of-bounds read triggered when ImageMagick processes a specially crafted TIFF file. The issue stemmed from incorrect memory allocation calculated using `2 * TIFFStripSize(tiff)` which resulted in only half the required memory being allocated for `strip_pixels` data, leading to a read operation accessing memory beyond the allocated buffer boundary.
## Exploitation
- Status: Information provided confirms a crash was found via fuzzing; exploitation potential (e.g., RCE) is implied but not confirmed as exploited in the wild.
- Complexity: Based on the PoC (a crafted TIFF file), exploitation complexity is likely **Low** to **Medium** (requires crafting a specific file).
- Attack Vector: **Network** (since image files are commonly transmitted over networks).
## Impact
- Confidentiality: Moderate to High (potential for information disclosure from surrounding heap memory)
- Integrity: High (potential for memory corruption)
- Availability: High (Causes program crash / Denial of Service)
## Remediation
### Patches
- ImageMagick version **7.0.46** was released to fix the initial memory allocation issue related to CVE-2020-27829.
- *Note on subsequent issue:* A secondary flaw related to incomplete memory zeroing (`memset`) post-patch in 7.0.46 exists, which was fixed in a subsequent commit: `https://github.com/ImageMagick/ImageMagick/commit/a5b64ccc422615264287028fe6bea8a131043b59#diff-0a5eef63b187504ff513056aa8fd6a7f5c1f57b6d2577a75cff428c0c7530978` (Users should ensure they are running versions incorporating this subsequent fix).
### Workarounds
- Do not process untrusted TIFF files using ImageMagick.
- Implement stricter input validation/sanitization for image files before processing.
## Detection
- **Indicators of Compromise (IoC):** Program crashes or segmentation faults occurring during the processing of TIFF files by ImageMagick utilities (`magick` or related libraries).
- **Detection Methods and Tools:** Fuzzing tools (like AFL) can be used to generate new test cases to verify the fix. Runtime analysis tools like ASAN (Address Sanitizer) would flag the out-of-bounds read during testing. Monitoring system logs for process termination related to ImageMagick is crucial.
## References
- Vendor Advisories: Not explicitly detailed, but referenced via security researchers' findings (McAfee).
- Relevant Links:
- Initial Fuzzing Methodology: `hxxps://www.mcafee.com/blogs/other-blogs/mcafee-labs/vulnerability-discovery-in-open-source-libraries-part-1-tools-of-the-trade/`
- Subsequent Code Fix: `hxxps://github.com/ImageMagick/ImageMagick/commit/a5b64ccc422615264287028fe6bea8a131043b59#diff-0a5eef63b187504ff513056aa8fd6a7f5c1f57b6d2577a75cff428c0c7530978`