CVE-2020-13902 – This vulnerability in ImageMagick allows attack... (How to Fix)

Q: What is the severity of CVE-2020-13902?

CVE-2020-13902 has a CVSS score of 7.1 (HIGH). This vulnerability in ImageMagick allows attackers to read heap memory beyond allocated buffers when processing specially crafted TIFF images. It affects systems using vulnerable ImageMagick versions to process untrusted image files. The heap buffer over-read could leak sensitive information or potentially lead to further exploitation.

📋 TL;DR

This vulnerability in ImageMagick allows attackers to read heap memory beyond allocated buffers when processing specially crafted TIFF images. It affects systems using vulnerable ImageMagick versions to process untrusted image files. The heap buffer over-read could leak sensitive information or potentially lead to further exploitation.

💻 Affected Systems

Products:

ImageMagick

Versions: 7.0.9-27 through 7.0.10-17

Operating Systems: All platforms running vulnerable ImageMagick versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using ImageMagick to process TIFF images from untrusted sources is vulnerable. This includes web applications, document processing systems, and image conversion tools.

📦 What is this software?

Imagemagick by Imagemagick

View all CVEs affecting Imagemagick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to memory content leakage, potentially exposing sensitive data like passwords, keys, or other process memory. Could be chained with other vulnerabilities for remote code execution.

🟠

Likely Case

Application crashes (denial of service) when processing malicious TIFF files. Information disclosure of adjacent heap memory.

🟢

If Mitigated

Minimal impact if proper input validation and sandboxing are in place, with only controlled crashes possible.

🌐 Internet-Facing: MEDIUM - Web applications processing user-uploaded TIFF images are vulnerable, but exploitation requires specific conditions.

🏢 Internal Only: LOW - Internal systems typically process trusted images, reducing attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious TIFF file that triggers the buffer over-read. Public proof-of-concept exists in the OSS-Fuzz bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ImageMagick 7.0.10-18 and later

Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7v27-29w3-3q3h

Restart Required: No

Instructions:

1. Check current ImageMagick version with 'convert --version'. 2. Update to version 7.0.10-18 or later using your package manager. 3. For source installations: download latest source from imagemagick.org, compile and install.

🔧 Temporary Workarounds

Disable TIFF format support

linux

Remove or disable TIFF coder module to prevent processing of TIFF images

mv /usr/lib/ImageMagick-7.0.10/modules-Q16HDRI/coders/tiff.* /tmp/
Alternatively edit policy.xml to disable TIFF

Implement input validation

all

Reject or sanitize TIFF files from untrusted sources before processing

🧯 If You Can't Patch

Implement strict file type validation to reject TIFF files from untrusted sources
Run ImageMagick in a sandboxed environment with limited memory access

🔍 How to Verify

Check if Vulnerable:

Run 'convert --version' and check if version is between 7.0.9-27 and 7.0.10-17 inclusive

Check Version:

convert --version | head -1

Verify Fix Applied:

After update, verify version is 7.0.10-18 or later with 'convert --version'

📡 Detection & Monitoring

Log Indicators:

ImageMagick process crashes when processing TIFF files
Memory access violation errors in system logs

Network Indicators:

Unusual TIFF file uploads to web applications
Multiple failed image processing attempts

SIEM Query:

process_name:"convert" AND (event_type:"crash" OR error_message:"segmentation fault") AND file_extension:".tif" OR ".tiff"

📊 Metadata

CVE ID: CVE-2020-13902

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: June 7, 2020

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20920 Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20920 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13902, you might also want to check these: