WebP is an open-source image format developed by Google. WebP enables higher quality images in smaller file sizes. The [.rt-script]libwebp[.rt-script] package, released by Google, encodes and decodes images in WebP format and is used widely across the internet for lossless image compression.
The image parsing library [.rt-script]libwebp[.rt-script] is the core of the recently identified CVE-2023-4863 heap buffer overflow vulnerability and zero-day exploit that impacts Google Chrome and other Chromium-based browsers for Windows, macOS, and Linux, as well as any software or web application that uses the [.rt-script]libwebp[.rt-script] library.
What is CVE 2023-4863?
CVE-2023-4863 is a zero-day vulnerability that allows for remote code execution and out-of-bounds write through a buffer overflow attack. Though there are reports of active exploitation, details about those attacks have not yet been made available. It seems that a malicious WebP image on a crafted HTML page can enable a remote attacker to gain permissions for an out-of-bounds memory write.
Because of how the WebP Codec provides support for web images, a heap overflow vulnerability permits exploitation of WebP image provisions. The image-based exploitation is related to WebP's lossless compression through the Huffman coding algorithm. If an attacker overflows the algorithmic data and replaces it with their own maliciously crafted image data, then the attacker can gain access to the victim's device and run code. Simply accessing the malicious image on the web page can trigger this vulnerability without any further user interaction.
This vulnerability is a known Chrome zero-day exploit, but it extends beyond just web browsers. CVE-2023-4863 follows the recent CVE-2023-41064 discovery by the Citizen Lab. CVE-2023-4104, also known as the BLASTPASS exploitation, deploys Pegasus spyware through zero-click iMessage images. The Citizen Lab reported this issue to Apple and, together with Apple's Security and Engineering Architecture team, they notified Google about potential exploitation beyond Mac-based products.
With the WebP format used widely and the [.rt-script]libwebp[.rt-script] library, specifically, in use among many browsers, applications, and software, this vulnerability could have extensive implications across the web. Any software using [.rt-script]libwebp[.rt-script] may be vulnerable. While usage does not necessarily correlate with exploitability, any use of this package should be investigated to confirm whether or not the use is vulnerable to the exploit.
CVE-2023-4863 is the vulnerability's identification in NIST's National Vulnerability Database (this critical vulnerability was briefly re-registered as CVE-2023-5129 and then withdrawn). This vulnerability has a CVSS score of 8.8, which indicates a high severity. While the CVSS base score does not identify the measure of risk, the widespread use of [.rt-script]libwebp[.rt-script] and reports of active exploitation suggest that there may be lasting effects among web users.
Who is Impacted By CVE-2023-4863?
Due to the extensive use of [.rt-script]libwebp[.rt-script] across the web, it is difficult to identify the exact parameters of this vulnerability. However, the widespread implementation of this library means that many sites and applications may be vulnerable but would need further investigation to know definitively.
Website and application developers can check the application's source code to determine the use of [.rt-script]libwebp[.rt-script] and to upgrade to a secure version. Further, you can audit your Software Bill of Materials (SBOM) to determine exposure among your software libraries.
Since many packages rely on libwebp, it is imperative that developers review the application build to ensure their stack is updated to the fixed version. Rezilion has identified the package in use among popular CMS frameworks like WordPress and Drupal and a variety of Docker container images. Additionally, many Linux-based operating systems have released security fixes for their builds, including Alpine, Debian, Gentoo, Oracle, Red Hat, SUSE, and Ubuntu.
If you identify that your software, applications, or packages incorporate the [.rt-script]libwebp[.rt-script] library, take action to update it immediately to the latest version. Once the security upgrade has been applied, ensure that you restart applications for the changes to take effect. Follow your existing vulnerability remediation process so that this update minimizes operational interruption.
All web users should follow the recommended update schedule to install fixes for products with known version updates. Google Chrome has released an update for use across macOs, Linux, and Windows that is currently available or will be available to all users in the very near future. Apple has also released a security update for iOS and iPadOS. Likewise, other Chromium-based web browsers have released fixes, including Brave Browser, Microsoft Edge, Mozilla Firefox, Opera, Tor Browser, and Vivaldi. Other applications, like 1Password and Electron, are also releasing updates as they can.
For third party vendors, source code will generally not be available. As vendors complete their own assessment of [.rt-script]libwebp[.rt-script] usage, they may publish information on which versions of their products are vulnerable. Because the potential attack surface is extensive, vendors need to complete internal investigations and communicate the status for their products.
What You Can Do About CVE-2023-4863
Because [.rt-script]libwebp[.rt-script] is used extensively across the web, it is critical that updates are applied as quickly as possible to achieve widespread uptake. It may take some time for the security upgrade to become in use.
You can take these three actions to ensure that you implement cybersecurity updates:
- Apply all the security updates for browsers, apps, and operating systems.
- Identify if your applications use [.rt-script]libwebp[.rt-script] directly or as a dependency, then upgrade to a secure version.
- Open a line of communication with your vendors to remain updated about their use of [.rt-script]libwebp[.rt-script].
When products are known to be affected and added to the NVD listing for CVE-2023-4863, they will be added to the UpGuard vulnerability library. UpGuard will continue monitoring the situation for more information on which products and which versions of those are affected.