CVE-2014-9841
📋 TL;DR
This vulnerability in ImageMagick's PSD file parser allows remote attackers to execute arbitrary code or cause denial of service via specially crafted PSD files. It affects systems using vulnerable versions of ImageMagick to process untrusted image files, particularly web applications that allow image uploads.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Leap by Opensuse Project
Opensuse by Opensuse
Suse Linux Enterprise Desktop by Opensuse Project
Suse Linux Enterprise Server by Opensuse Project
Suse Linux Enterprise Software Development Kit by Opensuse Project
View all CVEs affecting Suse Linux Enterprise Software Development Kit →
Suse Linux Enterprise Workstation Extension by Opensuse Project
View all CVEs affecting Suse Linux Enterprise Workstation Extension →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the ImageMagick process, potentially leading to complete system compromise.
Likely Case
Denial of service through application crashes when processing malicious PSD files.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented.
🎯 Exploit Status
Exploitation requires only a malicious PSD file. No authentication needed if application accepts file uploads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.9.10 and later
Vendor Advisory: http://www.openwall.com/lists/oss-security/2016/06/02/13
Restart Required: No
Instructions:
1. Update ImageMagick to version 6.8.9.10 or later. 2. For Linux: Use package manager (apt-get upgrade imagemagick, yum update imagemagick). 3. For source: Download latest version from ImageMagick.org and recompile.
🔧 Temporary Workarounds
Disable PSD format support
linuxRemove PSD format from ImageMagick's policy.xml to prevent processing of PSD files
sed -i '/pattern="PSD"/d' /etc/ImageMagick/policy.xml
echo '<policy domain="delegate" rights="none" pattern="PSD" />' >> /etc/ImageMagick/policy.xml
Implement file type validation
allReject PSD files at application level before passing to ImageMagick
🧯 If You Can't Patch
- Implement strict file upload validation to reject PSD files entirely
- Run ImageMagick in a sandboxed/containerized environment with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version: convert --version | head -1Check Version:
convert --version | head -1Verify Fix Applied:
Verify version is 6.8.9.10 or higher: convert --version | grep -q '6.8.9-1[0-9]\|6.8.9-[2-9]\|6.8.[1-9][0-9]\|6.9\|7.' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- ImageMagick process crashes
- Failed PSD file processing errors
- Unusual memory usage patterns
Network Indicators:
- Uploads of PSD files to web applications
- Unusual outbound connections from ImageMagick processes
SIEM Query:
process:convert AND (event_type:crash OR error_message:"PSD" OR memory_usage:>threshold)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00018.html
- http://www.openwall.com/lists/oss-security/2016/06/02/13
- http://www.ubuntu.com/usn/USN-3131-1
- https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream&id=f9ef11671c41da4cf973d0d880af1cdfbd127860
- https://bugzilla.redhat.com/show_bug.cgi?id=1343499
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00018.html
- http://www.openwall.com/lists/oss-security/2016/06/02/13
- http://www.ubuntu.com/usn/USN-3131-1
- https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream&id=f9ef11671c41da4cf973d0d880af1cdfbd127860
- https://bugzilla.redhat.com/show_bug.cgi?id=1343499
