#VU19185 Division by zero in ImageMagick


| Updated: 2019-09-13

Vulnerability identifier: #VU19185

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13454

CWE-ID: CWE-369

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageMagick
Client/Desktop applications / Multimedia software

Vendor: ImageMagick.org

Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a system.

The vulnerability exists due to a divide-by-zero condition in the "RemoveDuplicateLayers" function, as defined in the "MagickCore/layer.c" file. A remote attacker can make calls on the targeted system and cause a DoS condition.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ImageMagick: 7.0.8-54


External links
http://github.com/ImageMagick/ImageMagick/commit/1ddcf2e4f28029a888cadef2e757509ef5047ad8
http://github.com/ImageMagick/ImageMagick/issues/1629
http://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability