#VU19185 Division by zero in ImageMagick


Published: 2019-07-15 | Updated: 2019-09-13

Vulnerability identifier: #VU19185

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13454

CWE-ID: CWE-369

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageMagick
Client/Desktop applications / Multimedia software

Vendor: ImageMagick.org

Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a system.

The vulnerability exists due to a divide-by-zero condition in the "RemoveDuplicateLayers" function, as defined in the "MagickCore/layer.c" file. A remote attacker can make calls on the targeted system and cause a DoS condition.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ImageMagick: 7.0.8-54

External links
http://github.com/ImageMagick/ImageMagick/commit/1ddcf2e4f28029a888cadef2e757509ef5047ad8
http://github.com/ImageMagick/ImageMagick/issues/1629
http://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Amazon Linux AMI update for ImageMagick
Amazon Linux AMI update for php54-pecl-imagick
Amazon Linux AMI update for php56-pecl-imagick
Amazon Linux AMI update for php55-pecl-imagick
Amazon Linux AMI update for php70-pecl-imagick
Amazon Linux AMI update for php71-pecl-imagick
Amazon Linux AMI update for php72-pecl-imagick
Debian update for imagemagick
OpenSUSE Linux update for ImageMagick
Denial of service in ImageMagick