Nixu Threat Intelligence Bulletin: Critical Libwebp Vulnerability Discovered

Nixu Threat Intelligence Team

Threat Intelligence Team

Syyskuu 28, 2023 at 18:00

Critical Libwebp Vulnerability (CVE-2023-5129)

On 15 September, Nixu Threat Intelligence informed their clients that a vulnerability (CVE-2023-4863) in a library used by Google Chrome and Firefox browsers was being exploited in the wild. The library in question is libwebp and is used for image handling.

The flaw has now been given a new CVE identifier (CVE-2023-5129) which refers to the library itself. Google initially labeled it as a Chrome issue rather than assigning it to the library. The reclassification of CVE-2023-5129 as a libwebp vulnerability holds particular importance due to it initially going unnoticed as a potential security threat for numerous projects using libwebp.

Many browsers use this library for displaying images in the browser but there are also other projects that likely utilize it as well, such as 1Password, Signal, Mozilla Thunderbird, Adobe Photoshop, et al. This vulnerability mainly affects client-side software, which is used to render images on screen, but some server products likely implement it as well – Wordpress, as an example.

Furthermore, a security consulting firm has linked the originally reported CVE-2023-4863 to the CVE-2023-41064 vulnerability (addressed by Apple in early September) that was abused as part of a zero-click iMessage exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with commercial spyware of the NSO Group Pegasus.

Details

=======

Product: Multiple

Risk: Arbitrary code execution, access to sensitive information

Link 1: https://nvd.nist.gov/vuln/detail/CVE-2023-5129

Link 2: https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/

Link 3: https://en.wikipedia.org/wiki/WebP

Nixu Threat Intelligence assesses with high confidence that the vulnerability will most likely be analyzed and weaponized by advanced threat actors apart from it being used in the wild by NSO Pegasus. We recommend ensuring that the needed patching has been done for the major browsers Google Chrome, Firefox and Microsoft Edge. At present, there is no proper information on other products utilizing the library nor their patches or patch schedules regarding libwebp.

Moving forward, the general assumption we are working under is that while this hasn’t been widely exploited yet, it is just a matter of time for a Proof-of-Concept (PoC) to emerge. This could be against any one of the wide array of software that rely upon the library. We believe the threat vector remains on the client-side as it will likely require user interaction via opening it as a payload (maybe a maliciously formed image file) in the right software type for a compromise to take hold.

Nixu Threat Intelligence
Nixu Corporation
threats@nixu.com

Related blogs