CVE-2019-19948
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code via a specially crafted SGI image file. It affects ImageMagick installations that process untrusted image files, particularly web applications that use ImageMagick for image conversion or processing.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Leap by Opensuse
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service through application crashes, or limited code execution in sandboxed environments.
If Mitigated
No impact if ImageMagick doesn't process untrusted SGI files or is properly sandboxed.
🎯 Exploit Status
Exploitation requires only a malicious SGI image file. Public proof-of-concept code exists in the GitHub issue tracker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.8-44 and later
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/issues/1562
Restart Required: No
Instructions:
1. Update ImageMagick to version 7.0.8-44 or later. 2. For Linux: Use package manager (apt-get upgrade imagemagick, yum update imagemagick). 3. For Windows: Download updated binaries from ImageMagick website. 4. For source installations: Recompile from patched source.
🔧 Temporary Workarounds
Disable SGI coder
linuxRemove or disable the SGI image format support in ImageMagick policy.xml
Edit /etc/ImageMagick-7/policy.xml and add: <policy domain="coder" rights="none" pattern="SGI" />
Sandbox ImageMagick
linuxRun ImageMagick in a container or with reduced privileges
docker run --security-opt no-new-privileges -v /tmp:/tmp imagemagick
🧯 If You Can't Patch
- Implement strict input validation to reject SGI files at the application level
- Deploy network segmentation and restrict ImageMagick to isolated processing servers
🔍 How to Verify
Check if Vulnerable:
Run: convert -version | grep 'Version: ImageMagick' and check if version is 7.0.8-43 or earlierCheck Version:
convert -version | grep 'Version: ImageMagick'Verify Fix Applied:
After update, verify version is 7.0.8-44 or later with same command📡 Detection & Monitoring
Log Indicators:
- ImageMagick segmentation faults
- Process crashes when handling image files
- Unusual memory allocation patterns
Network Indicators:
- Unexpected outbound connections from ImageMagick processes
- Large SGI file uploads to web applications
SIEM Query:
process_name:"convert" AND (event_type:"crash" OR memory_usage:"spike")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00006.html
- https://github.com/ImageMagick/ImageMagick/issues/1562
- https://lists.debian.org/debian-lts-announce/2019/12/msg00033.html
- https://usn.ubuntu.com/4549-1/
- https://www.debian.org/security/2020/dsa-4712
- https://www.debian.org/security/2020/dsa-4715
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00006.html
- https://github.com/ImageMagick/ImageMagick/issues/1562
- https://lists.debian.org/debian-lts-announce/2019/12/msg00033.html
- https://usn.ubuntu.com/4549-1/
- https://www.debian.org/security/2020/dsa-4712
- https://www.debian.org/security/2020/dsa-4715
