Information disclosure due to AES-CTR nonce reuse
Summary
ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images. A vulnerability has been identified in ImageMagick, a software tool used to create, edit, and convert image files. This flaw allows a remote attacker to potentially decrypt and view images that were supposed to be securely encrypted by the software, leading to an unauthorized disclosure of sensitive data. Exploitation requires an attacker to specifically target encrypted images processed by this method, which is not a common default configuration in Red Hat environments. The vulnerability primarily affects applications utilizing the `PasskeyEncipherImage` function, potentially through bindings like Magick.NET. Red Hat severity: Low — CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Weakness: CWE-323. Affected Red Hat products: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Red Hat does not currently list a fixing RHSA for this CVE.
- < 7.1.2-22
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- To mitigate this stop using ImageMagick's built-in encryption feature. Rely on standard, OS-level data-at-rest encryption (such as LUKS) to protect sensitive media instead.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.