CVE-2017-13140 : What You Need to Know

ImageMagick versions prior to 6.9.9-1 and 7.x prior to 7.0.6-2 are vulnerable to a denial of service attack due to a flaw in the ReadOnePNGImage function.

Understanding CVE-2017-13140

This CVE describes a vulnerability in ImageMagick that could allow remote attackers to cause a denial of service.

What is CVE-2017-13140?

The vulnerability exists in the ReadOnePNGImage function in coders/png.c in ImageMagick versions before 6.9.9-1 and 7.x before 7.0.6-2. Attackers can exploit this by providing a PNG file with a specific width, causing the application to hang.

The Impact of CVE-2017-13140

Exploitation of this vulnerability can lead to a denial of service, where the application hangs due to processing a specially crafted PNG file.

Technical Details of CVE-2017-13140

ImageMagick's vulnerability details and affected systems.

Vulnerability Description

The ReadOnePNGImage function in ImageMagick allows remote attackers to trigger a denial of service by providing a PNG file with a width that matches the MAGICK_WIDTH_LIMIT, causing the application to hang.

Affected Systems and Versions

ImageMagick versions before 6.9.9-1 and 7.x before 7.0.6-2

Exploitation Mechanism

Attackers exploit the vulnerability by crafting a PNG file with a specific width that triggers the application to hang.

Mitigation and Prevention

Steps to mitigate and prevent the CVE-2017-13140 vulnerability.

Immediate Steps to Take

Update ImageMagick to version 6.9.9-1 or 7.0.6-2 or later to patch the vulnerability.
Avoid opening PNG files from untrusted sources.

Long-Term Security Practices

Regularly update software and apply security patches promptly.
Implement network security measures to detect and block malicious PNG files.

Patching and Updates

Check for updates from ImageMagick and apply patches to fix the vulnerability.