CVE-2017-11188

Vulnerability

The ReadDPXImage function in coders/dpx.c of ImageMagick 7.0.6-0 contains a large loop vulnerability that can lead to CPU exhaustion. The issue stems from the lack of an end-of-file (EOF) check when reading a DPX file. Specifically, at line 1119 of dpx.c, a for loop iterates from offset up to dpx.file.image_offset (read from ReadBlobLong). Since dpx.file.image_offset is an unsigned integer and can be crafted to a large value (up to 4294967295), the loop reads bytes from the file without verifying whether the file has ended, causing excessive processing time even for a small input file [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted DPX image file to an application or service that uses ImageMagick to process images. No special privileges or network position beyond the ability to upload or supply the malicious file is required. The attacker controls the dpx.file.image_offset value in the file header, which causes ReadDPXImage to enter a lengthy loop, reading bytes until the offset is reached. Since the loop does not check for EOF, the function will attempt to read past the file data, consuming CPU resources unnecessarily [1].

Impact

This vulnerability results in a denial-of-service (DoS) condition, as CPU resources are exhausted while processing the crafted file. The attacker can cause the application to hang or become unresponsive. No data confidentiality or integrity is compromised, but availability is significantly affected. The impact is limited to CPU exhaustion and does not lead to code execution or privilege escalation [1].

Mitigation

The official fix was implemented in ImageMagick subsequent releases after 7.0.6-0. Users should upgrade to a patched version. As a workaround, avoid processing untrusted DPX files or disable the DPX coder if not needed. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].