Threat Response - Critical vulnerability in libwebp (CVE-2023-4863)

Dear Reader,

A vulnerability was recently discovered in a widely-used piece of image processing software, that requires immediate patching of several software packages^[1]. With this TR we inform you about the vulnerability, the risk and the mitigations. 

Vulnerable versions of the image processing library were found in widely used software, including all major web browsers, as well as macOS, iOS and Android. It is highly recommended to install patches for vulnerable applications and operating systems as soon as they become available.

 

Description

On September 7 and in the following days, Citizen Lab, together with researchers from Apple, identified a vulnerability in "libwebp", a widely used library for processing WebP images^[2].

WebP is an image format that is supported by most web browsers and some other applications. The open-source library libwebp is used by many desktop and mobile applications to process WebP-encoded images. Both iOS and Android also ship with this library to help third-party applications in processing WebP images.

The vulnerability is being tracked as CVE-2023-4863^[3] and has been fixed in libwebp v1.3.2. This fix is now being distributed by software vendors through patches of their software.

At the time of writing, the following operating systems and widely used applications are known to have shipped with vulnerable versions of libwebp:

• iOS and iPadOS (patched in 16.6.1)
• Android (no patch available yet)
• macOS (patched in 11.7.10, 12.6.9, 13.5.2)
• Microsoft Edge (patched in 117.0.2045.31)
• Mozilla Firefox (patched in 117.0.1)
• Mozilla Firefox ESR (patched in 115.2.1)
• Mozilla Thunderbird (patched in 115.2.2)
• Google Chrome (patched in 116.0.5845.187)
• 1Password desktop client (patched in 8.10.15)
• Signal desktop client (patched in 6.30.2)
• Electron (patched in 22.3.24, 24.8.3, 25.8.1)

 

Impact

As the vulnerability can lead to unauthenticated remote code execution, we estimate the impact of this vulnerability as high.

 

Risk

As libwebp is a widely used library, and exploitation can in some cases happen without user interaction^[4], we estimate the risk of these vulnerabilities as high.

 

Mitigation

Patch the software and/or operating systems listed above to the listed version, or newer.

Be aware that not all vulnerable applications may be known yet. Northwave will follow developments around this vulnerability and if new vulnerable widely-used applications come to light, we will update this TR. We recommend also closely following updates by your software vendors, since updates may be related to this vulnerability.  

 

What should you do?

Follow the mitigation steps given above.

With Microsoft Defender for Endpoint, use the following hunting query to search for unpatched applications:

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2023-4863"
| summarize count(), make_set(SoftwareVersion) by SoftwareVendor, SoftwareName

 

What will Northwave do?

For customers with Endpoint Detection & Response (EDR) based on Defender on Endpoint or ESET, Northwave is investigating whether other vulnerable applications may be present in their environment. 

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. 

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: soc@northwave.nl 
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.

 

Sources

[1]: https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/

[2]: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

[3]: https://nvd.nist.gov/vuln/detail/CVE-2023-4863

[4]: https://blog.isosceles.com/the-webp-0day/

---