#VU16711 Infinite loop in ImageMagick - CVE-2018-20467
Vulnerability identifier: #VU16711
Vulnerability risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID:
CWE-ID:
CWE-835
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ImageMagick
Client/Desktop applications /
Multimedia software
Vendor: ImageMagick.org
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in coders/bmp.c. A remote attacker can trick the victim into opening a specially crafted file, consume all available system resources and cause denial of service conditions.
Mitigation
Update to version 7.0.8-16.
Vulnerable software versions
ImageMagick: 7.0.8-0 - 7.0.8-14
External links
https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb
https://github.com/ImageMagick/ImageMagick/issues/1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
