CVE-2019-13135

Q: What is the severity of CVE-2019-13135?

CVE-2019-13135 has a CVSS score of 8.8 (HIGH). This vulnerability in ImageMagick's CUT image decoder allows attackers to trigger a use of uninitialized value, potentially leading to memory corruption, crashes, or arbitrary code execution. It affects any system using vulnerable versions of ImageMagick to process CUT image files. The vulnerability is particularly dangerous in web applications that allow image uploads.

8.8 HIGH

Remote Code Execution Denial of Service

📋 TL;DR

This vulnerability in ImageMagick's CUT image decoder allows attackers to trigger a use of uninitialized value, potentially leading to memory corruption, crashes, or arbitrary code execution. It affects any system using vulnerable versions of ImageMagick to process CUT image files. The vulnerability is particularly dangerous in web applications that allow image uploads.

💻 Affected Systems

Products:

ImageMagick

Versions: All versions before 7.0.8-50 (ImageMagick 7) and before 6.9.10-50 (ImageMagick 6)

Operating Systems: All operating systems running vulnerable ImageMagick versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service that uses ImageMagick to process CUT format images is vulnerable. This includes web applications, document processing systems, and image conversion tools.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the ImageMagick process, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service through application crashes or memory corruption leading to unstable behavior.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, with crashes contained to the ImageMagick process.

🌐 Internet-Facing: HIGH - Web applications processing user-uploaded images are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal systems processing CUT images could be vulnerable, but attack surface is more limited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious CUT image file. The vulnerability is in the decoder, so any processing of CUT files triggers the issue. Proof-of-concept code exists in the GitHub issue tracker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ImageMagick 7.0.8-50 or later, ImageMagick 6.9.10-50 or later

Vendor Advisory: https://github.com/ImageMagick/ImageMagick/issues/1599

Restart Required: No

Instructions:

1. Update ImageMagick to version 7.0.8-50 or later (or 6.9.10-50 for ImageMagick 6). 2. For Linux distributions, use your package manager: 'sudo apt update && sudo apt upgrade imagemagick' (Debian/Ubuntu) or 'sudo yum update imagemagick' (RHEL/CentOS). 3. For source installations, download and compile the patched version from the official repository.

🔧 Temporary Workarounds

Disable CUT format support

linux

Remove CUT format from ImageMagick's policy.xml to prevent processing of CUT images

Edit /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml
Add or modify: <policy domain="coder" rights="none" pattern="CUT" />

Input validation and sanitization

all

Implement strict file type validation before passing images to ImageMagick

Implement server-side file type checking using magic bytes or other validation methods

🧯 If You Can't Patch

Implement strict input validation to reject CUT format images at the application level
Run ImageMagick in a sandboxed environment with minimal privileges to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check ImageMagick version with 'convert --version' or 'magick --version'. If version is below 7.0.8-50 (for ImageMagick 7) or below 6.9.10-50 (for ImageMagick 6), the system is vulnerable.

Check Version:

convert --version | head -1 || magick --version | head -1

Verify Fix Applied:

After updating, verify the version is 7.0.8-50 or higher (or 6.9.10-50 for ImageMagick 6) using 'convert --version' or 'magick --version'.

📡 Detection & Monitoring

Log Indicators:

ImageMagick process crashes or segmentation faults
Error messages related to CUT image processing
Unusual memory usage patterns in ImageMagick processes

Network Indicators:

Uploads of CUT format images to web applications
Unusual spikes in image processing requests

SIEM Query:

process_name:"convert" OR process_name:"magick" AND (event_type:"crash" OR error_message:"CUT" OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2019-13135

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-908

Published: July 1, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.html Broken Link
https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d Patch,Third Party Advisory
https://github.com/ImageMagick/ImageMagick/issues/1599 Patch,Third Party Advisory
https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html Mailing List,Third Party Advisory
https://support.f5.com/csp/article/K20336394 Third Party Advisory
https://support.f5.com/csp/article/K20336394?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4192-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4712 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.html Broken Link
https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d Patch,Third Party Advisory
https://github.com/ImageMagick/ImageMagick/issues/1599 Patch,Third Party Advisory
https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00021.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html Mailing List,Third Party Advisory
https://support.f5.com/csp/article/K20336394 Third Party Advisory
https://support.f5.com/csp/article/K20336394?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4192-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4712 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Big Ip Webaccelerator by F5

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Imagemagick by Imagemagick

Imagemagick by Imagemagick

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable CUT format support

Input validation and sanitization

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities