Published: September 28, 2023
Overview
A critical security vulnerability has been found in libwebp, an open source library used for rendering Webp format images. The vulnerability, listed as CVE-2023-41064 (CVSS Score 7.8) and CVE-2023-4863 (CVSS Score 8.8), (previously tracked along with CVE-2023-5129 with CVSS Score 10) both point to the same heap buffer overflow bug in libwebp library that, if exploited, could lead to arbitrary code execution and a crash. With a specially crafted webp image, this bug can be exploited to execute arbitrary code. The libwebp library is more efficient than jpeg and png images in terms of speed and size, hence its use in a wide variety of applications for rendering images.
Impact
The impact is that an attacker, with a specially crafted image in webp format, can exploit this vulnerability to execute arbitrary code.
This vulnerability has been already exploited in various browsers including Chrome, Firefox, Safari and Microsoft Edge. It is used by threat actors as part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spyware on target mobile devices. The library libwebp is present in various image editors, browsers, and other libraries in various platforms. We should note that libwebp is mostly used indirectly by other software that bundles it, which contributes to the wider software ecosystem impact of this vulnerability. The popularity of the libwebp package implies that a multitude of systems could potentially be at risk, which makes ascertaining the full extent of this vulnerability’s impact a daunting task. Some of the platforms and applications which have dependency on the libwebp library and could be affected:
- Popular web browsers (Chrome, Firefox, Microsoft Edge, Opera, etc)
- Various applications (including Microsoft Teams, Slack, Discord, LibreOffice, 1Password, Telegram, Signal Desktop, etc.)
- The Electron framework, on which many cross-platform desktop applications are based
- Images and container images of applications such as – nginx, python, Joomla, WordPress, Node.js, perl, ruby, rust and more.
- Many Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE, etc.)
- Gaming Engines and design tools use libwebp library.
- Other libraries and modules that have dependencies on libwebp increasing the attack surface.
Some of these have already incorporated patches for the vulnerability.
Applicable Versions
Affected Version | Updated Version |
---|---|
Libwebp versions including and prior to 1.3.1 | Libweb version 1.3.2 |
Mitigations and Workarounds
There are no workarounds for this vulnerability. To prevent the vulnerability from being exploited, the following actions are suggested:
- Update the libwebp version to the latest one immediately. The fix is present in 1.3.2. Updating the version of libwebp to this or a higher one will be helpful.
- Take the latest versions of browsers like Chrome, Safari, Firefox, and Microsoft Edge where the flaw has been fixed.
- Similarly take the patched versions of other platforms and applications where this flaw has been fixed.
Best Practices
Run a vulnerability scanner to detect the presence of the vulnerable libwebp library in the various modules in the concerned environment, platform, and software modules. Make sure the vulnerability scanner has the feature to detect this vulnerability.
Always make sure the browsers, operating systems, and software modules are updated with the latest fixes and version.
Not all software modules and libraries have fixed this vulnerability, so be vigilant about the webp images which are processed as inputs. Keep checking with third party software vendors about the fixes for this vulnerability.
By following these best practices, users can reduce the risk of exploitation and help to prevent the CVE-2023-41064 and CVE-2023-4863 (and other CVEs which can be created for this vulnerability in the future) from being exploited and minimize the impact if it is exploited.
Netsurion Detection and Response
Netsurion researchers are continuously monitoring the exploits of this vulnerability. Our security analysts will add the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion Threat Center, our threat intelligence platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect the exploitation of this vulnerability. Netsurion’s vulnerability management system will also detect these vulnerabilities (CVE-2023-41064 and CVE-2023-4863) for customers who have subscribed to Netsurion Vulnerability Management.
References:
- https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
- https://www.helpnetsecurity.com/2023/09/27/cve-2023-5129/
- https://therecord.media/libwebp-vulnerability-more-widespread-than-expected
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html
- https://thehackernews.com/2023/09/google-rushes-to-patch-critical-chrome.html
- https://thehackernews.com/2023/09/mozilla-rushes-to-patch-webp-critical.html
- https://thehackernews.com/2023/09/apple-rushes-to-patch-zero-day-flaws.html
- https://developers.google.com/speed/webp
- https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/
- https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days