Nick Hammond

Software Developer, Cyclist, & Traveler.

Fixing ImageMagick CVE-2016–3714 With Ansible

In ansible, rails

There’s a recently discovered vulnerability in ImageMagick(CVE-2016-3714) that’s incredibly easy to patch via Ansible. To address the patch we’ll utilize ImageMagick’s policy.xml file which is a recommended fix.

We’ll utilize the copy module which will help us copy a new policy file within the files/ directory of our role up to the server.

Assuming we have a role that installs imagemagick called imagemagick with a main task file containing:

roles/nickhammond.imagemagick/tasks/main.yml

---
- name: Install ImageMagick
  apt: name=imagemagick state=present

We can go ahead and create a new policy.xml file with the contents of the recommended fix in it:

roles/nickhammond.imagemagick/files/imagemagick.policy.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

Note: Take a look at /etc/ImageMagick/policy.xml before replacing it, there’s a few other useful policy options that you might be interested in that are commented out by default.

Now that we’ve built our new policy file we can go ahead and create a task to copy it to any machine. Add a task to the main task file so that it now contains the following:

---
- name: Install ImageMagick
  apt: 
    name: imagemagick 
    state: present
  tags: [imagemagick]

- name: Add ImageMagick policy file for CVE-2016–3714
  copy:
    src: imagemagick.policy.xml
    dest: /etc/ImageMagick/policy.xml
  tags: [imagemagick]

Typically you’ll install ImageMagick within some other role, if you tag the task though you can just run the ImageMagick specific tasks and target the specific vulnerability.

Now we can utilize our playbook that includes our ImageMagick role to patch the vulnerability. Here’s a simple playbook that we can use to include our playbook and run it.

image-server.yml

---
- hosts: all
  roles:
    - nickhammond.imagemagick

From here you can use various inventory and limit combinations to target the specific servers that this needs to be released on and run the patch.

ansible-playbook -i inventory/production -l image -s image-server.yml -K -t imagemagick

This ad-hoc command runs with the following options:

  • -i - Uses our production inventory file
  • -l - Limits the servers to a host pattern matching “image”
  • -s - Runs as sudo since the file is owned by root
  • Uses the image-server.yml playbook
  • -K - Prompts for the sudo password, not needed if you have passwordless sudo
  • -t - Only runs tasks tagged with imagemagick

If you’d like to do a quick sanity check before running this everywhere you can always use -C to check what will actually be changed.

Once you’ve run that on your servers you can then verify that the policies are in place with convert -list policy, it’ll look similar to this output:

$ convert -list policy

Path: /etc/ImageMagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL

P.S. We should keep in touch, subscribe below.