Flash Notice: Zero-Day Vulnerability in Libwebp - Exploited in the Wild

overview

A severe security flaw, tracked as CVE-2023-5129, has been discovered in the libwebp image library – a critical component for rendering WebP format images. The vulnerability poses significant risks and has been given a CVSS score of 10.  

The root cause of the issue lies in the flawed implementation of the Huffman coding algorithm within the libwebp library. CVE-2023-5129 allows attackers to execute arbitrary code via a heap buffer overflow, potentially leading to system crashes, unauthorized data access, and arbitrary code execution. 

Initially misidentified as a Google Chrome vulnerability (CVE-2023-4863), it has now been accurately identified as a critical flaw in libwebp. Earlier, security researchers mistakenly identified it as part of a zero-click iMessage exploit chain called BLASTPASS that targeted fully patched iPhones with NSO Group's Pegasus spyware. Although unconfirmed, it appears that the BLASTPASS chain was made possible by the libwebp vulnerability.  

Researchers initially misidentified the vulnerability because Google quietly submitted another disclosure for a critical code-execution vulnerability. Their earlier disclosure gave the wrong impression that it only impacted the Chrome browser, but the new submission clarified its broader impact on thousands of apps and software frameworks. 

For those who are not aware, the libwebp library is widespread, found in numerous critical applications, including popular web browsers (e.g., Chrome, Firefox, Microsoft Edge, Opera), Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE), the Electron framework, and many other widely-used applications (e.g., Microsoft Teams, Slack, Discord, LibreOffice). Some have already implemented patches for the vulnerability while others have not.  

CVE-2023-5129 impacts libwebp versions 0.5.0 to 1.3.1, with the issue being addressed in version 1.3.2. Due to the severity of the vulnerability, Avertium recommends that users update libwebp and related applications as soon as possible.  

avertium's recommendationS

• As previously stated, update libwebp and related applications to their latest secure versions. 
• Employ vulnerability scanners to automate the detection and remediation of this vulnerability across your systems. 
• Tom Sellers, who serves as the principal research engineer at runZero, has offered macOS users a helpful shell command. This command allows users to determine the versions of Electron used by their apps and whether they include the required patch. The relevant versions include: 
  • 22.3.24  
  • 24.8.3 
  • 25.8.1 
  • 26.2.1 
  • 27.0.0-beta.2. 
• For a complete list of fixed software, packages, and browsers please see Rezilion’s report about the libwebp vulnerability. You may find the list under “Affected Systems Breakdown”. Keep in mind Rezilion’s report still names the vulnerability as CVE-2023-4863 instead of CVE-2023-5129.  
  • New Details on Google Chrome Zero-Day Vulnerability (CVE-2023-4863) (rezilion.com) 

INDICATORS OF COMPROMISE (IoCs)

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION