The vulnerability was initially identified by Apple and Citizen Lab as CVE-2023-4863 related to Google Chrome. However, the issue has been reevaluated and is now labeled as CVE-2023-5129. It has been accurately pinpointed as a defect in libwebp and has been given the highest severity rating of 10/10.
Mistaken Impact Initially Reported
At first, the issue was described only as a high-severity flaw in Google Chrome, tagged as CVE-2023-4863. However, the real scope of the problem extends beyond Chrome: the vulnerability affects any software using the WebP codec via the libwebp library. This includes major browsers like Mozilla Firefox, Apple Safari, and Microsoft Edge, all of which integrate libwebp. This vulnerability should be treated just like we treated the Log4J vulnerability since Log4j! It is found in so many other places.
The use of WebP image processing through libwebp is widespread, spanning systems such as Linux, Android, Windows, and macOS. Given that Android has this codec integrated, native browser apps on Android devices are also impacted. The vulnerability’s extent is vast due to the ubiquitous presence of the compromised library.
The initial misidentification of the flaw as exclusive to Chrome obscured its broad consequences. Thankfully, its new label, CVE-2023-5129, correctly pins it as an inherent issue with libwebp. It’s now evident that all apps and platforms using libwebp must urgently release updates for user protection.
While exploiting this vulnerability requires some sophisticated user interaction, it still permits remote code execution. With fixes now accessible, entities relying on WebP must act promptly to update susceptible versions, preventing potential malicious activities.
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.
This data out-of-bounds overwrite is what allows the execution of arbitrary code which is a very bad thing!
Currently Known Applications Impacted by WebP:
According to this Wikipedia page, the following applications make use of libwebP for image processing and could be impacted. You should check with each of your vendors for a patch to apply starting with your web browsers.
- Basecamp 3
- Beaker (web browser)
- Cryptocat (discontinued)
- Eclipse Theia
- GitHub Desktop
- Light Table
- Logitech Options +
- Microsoft Teams
- MongoDB Compass
- QQ (for macOS)
- Quasar Framework
- Symphony Chat
- Visual Studio Code
Patch WebP 0day Now
A list of the vendors that pushed the WebP 0day patched against the vulnerability are –
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- NixOS – Nix package manager
You have a Vulnerability Alert Management Process, right?
If you’re a subscriber to CyberHoot’s awareness training Partner (Power) platform, you have access to our Policy and Process library which contains the Vulnerability Alert Management Process (VAMP) document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.
If you’re a vCISO client, we’ve built this process for you and now you must execute according to the prescribed measures and timeframes. If you’re not a vCISO client or CyberHoot Product subscriber, perhaps you want to sign up here.