CVE-2014-9843
📋 TL;DR
This vulnerability in ImageMagick's PSD file decoder allows remote attackers to execute arbitrary code or cause denial of service via specially crafted PSD files. It affects systems running vulnerable versions of ImageMagick that process untrusted PSD files, particularly web applications that use ImageMagick for image processing.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Leap by Opensuse Project
Opensuse by Opensuse
Suse Linux Enterprise Desktop by Opensuse Project
Suse Linux Enterprise Server by Opensuse Project
Suse Linux Enterprise Software Development Kit by Opensuse Project
View all CVEs affecting Suse Linux Enterprise Software Development Kit →
Suse Linux Enterprise Workstation Extension by Opensuse Project
View all CVEs affecting Suse Linux Enterprise Workstation Extension →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the ImageMagick process, potentially leading to complete system compromise.
Likely Case
Denial of service through application crashes or memory corruption, potentially leading to information disclosure.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, with only denial of service possible.
🎯 Exploit Status
Exploitation requires only a malicious PSD file, making it straightforward for attackers to craft payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.9.10 and later
Vendor Advisory: http://www.ubuntu.com/usn/USN-3131-1
Restart Required: No
Instructions:
1. Update ImageMagick to version 6.8.9.10 or later. 2. For Linux systems: Use package manager (apt-get update && apt-get upgrade imagemagick). 3. For source compilation: Download latest version from ImageMagick.org and recompile.
🔧 Temporary Workarounds
Disable PSD format processing
linuxRemove PSD format support from ImageMagick policy configuration
Edit /etc/ImageMagick/policy.xml and add: <policy domain="coder" rights="none" pattern="PSD" />
Input validation for uploaded files
allReject PSD files at application level before ImageMagick processing
🧯 If You Can't Patch
- Implement strict file type validation to block all PSD files from being processed
- Run ImageMagick in a sandboxed/containerized environment with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version: convert --version | head -1Check Version:
convert --version | head -1Verify Fix Applied:
Verify version is 6.8.9.10 or higher: convert --version | grep -q '6.8.9-1[0-9]' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- ImageMagick process crashes
- Segmentation faults in application logs
- Unusual memory usage patterns
Network Indicators:
- Uploads of PSD files to web applications
- Unusual outbound connections from ImageMagick processes
SIEM Query:
process_name:"convert" AND (event_type:crash OR memory_usage:spike)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00018.html
- http://www.openwall.com/lists/oss-security/2016/06/02/13
- http://www.ubuntu.com/usn/USN-3131-1
- https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream&id=b8df15144d91a19ed545893ea492363635a1cb29
- https://bugzilla.redhat.com/show_bug.cgi?id=1343501
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00018.html
- http://www.openwall.com/lists/oss-security/2016/06/02/13
- http://www.ubuntu.com/usn/USN-3131-1
- https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream&id=b8df15144d91a19ed545893ea492363635a1cb29
- https://bugzilla.redhat.com/show_bug.cgi?id=1343501
