Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago. The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format” (Bleeping Computer, 2023).
The vulnerability was initially disclosed by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto’s Munk School on September 6, 2023. The zero-day was fixed by Google less than a week later. The security researchers who discovered the flaw found that it was being abused in targeted spyware campaigns which are often linked to state-sponsored threat actors.
Security researchers were confused as to why the vulnerability was tagged as a Chrome bug because it resides in libwebp, a library used by many products and services. Researchers said that CVE-2023-41064, which was fixed on September 7th, was also related to the WebP flaw. This zero-click iMessage exploit chain was dubbed BLASTPASS, and was used to inject patched iPhones with NSO Group’s Pegasus commercial spyware.
Security Officer Comments:
CVE-2023-4863 has been assigned another CVE ID, CVE-2023-5129, and now correctly marks the issue as a critical libwebp vulnerability. The vulnerability has received the maximum CVSS score of 10/10, and significantly impacts products and services using the libwebp open-source library.
The vulnerability resides in the Huffman coding algorithm used by libwebp for lossless compression. It enables a threat actor to execute out-of-bounds memory writes using maliciously crafted HTML pages. Most critically, exploiting the flaw can cause crashes, arbitrary code execution, and allows for unauthorized access to sensitive information.
After being reclassified to CVE-2023-5129 and assigned specifically to libwebp, the vulnerability impacts a much wider breadth of products and services. Libwebp is used in prominent services including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers.
“With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.”
The library is used in a wide range of applications, code libraries, frameworks, and operating systems. A multitude of software, applications, and packages have adopted this library, or even adopted packages that have libwebp as a dependency. The package is especially efficient, outperforming JPEG and PNG in terms of size and speed. Because of the prevalence of libwebp, the attack surface will be quite large, which is concerning for both users and organizations.
Popular products using libwebp:
Popular container images, “collectively downloaded and deployed billions of times” (e.g., drupal, ngnix, perl, python, ruby, rust, wordpress) A variety of utilities that depend on libwebp The most popular web browers (Chrome, Firefox, Microsoft Edge, Opera, etc. Many Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE, etc.) The Electron framework, on which many cross-platform desktop applications are based
- Basecamp 3
- Beaker (web browser)
- Cryptocat (discontinued)
- Eclipse Theia
- GitHub Desktop
- Light Table
- Logitech Options +
- Microsoft Teams
- MongoDB Compass
- QQ (for macOS)
- Quasar Framework
- Symphony Chat
- Visual Studio Code
Some of the impacted vendors have released patches for the vulnerability, while other have yet to do so. We expect a steady roll out of patches to address this critical vulnerability.
Organizations may be able to use vulnerability scanners to automatically detect and remediate the vulnerability across their systems. Tom Sellers, principal research engineer at runZero, has also shared a shell command users can run on macOS to see which of their apps are based on which Electron version (versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 and 27.0.0-beta.2 have the patch).
A list of the vendors that pushed the WebP 0day patched against the vulnerability are:
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- NixOS - Nix package manager