Recent security disclosures have brought to light a critical vulnerability within the widely utilized ‘libwebp’ library. Initially believed to exclusively affect Google Chrome, it has become increasingly apparent that the impact of this vulnerability extends well beyond its initial scope.
This situation has prompted comparisons in the cybersecurity community to the recent Log4j vulnerability. Given its widespread reach and potential for exploitation, CVE-2023-4863 is a matter of utmost urgency, demanding immediate attention and heightened security measures.
Just previewing an image within widely-used applications like any web browser, Teams, Slack, VS Code, Skype, or any app capable of image processing and display presents a grave security concern. This vulnerability is not to be underestimated; it empowers attackers to execute arbitrary code, assume complete control of your endpoints, and unleash devastating ransomware attacks. The urgency to address this threat cannot be overstated—it jeopardizes users worldwide and demands immediate action.
Action1’s CVE-2023-4863 Vulnerability Detection
At Action1, we are dedicated to addressing critical security concerns promptly and effectively. To aid in the identification of vulnerable software, we have developed a powerful report that enables organizations to pinpoint potential vulnerabilities quickly. This report enhances your ability to assess and mitigate security risks efficiently.
Here’s how to use the report:
- Log in to your Action1 account.
- Navigate to the Built-in Reports, Patch Management section and locate the “WebP Vulnerability Status” report.
- Click on the report and you will see the report populate with software that has either been identified to have the WebP vulnerability or that the vendor has released a patch for.
Many of the affected applications have already released updates, and you can find their status in the report. If an update is unavailable, this will also be clearly indicated.
Understanding CVE-2023-4863
CVE-2023-4863, identified as a heap overflow vulnerability, poses a significant threat. It allows malicious actors to execute arbitrary code when unsuspecting users encounter a seemingly harmless WebP image. The gravity of this issue is underscored by Google’s decision to assign it a CVSS severity rating of 10 out of 10. (It’s worth noting that CVE-2023-4863 has been deprecated as a duplicate and is now referred to as CVE-2023-5129.)
Expansive Impact
The concerning aspect of CVE-2023-4863 is its far-reaching impact. Cybersecurity experts have identified this vulnerable library within the latest versions of various container images, which have been collectively downloaded and deployed billions of times. Notable software stacks, including Nginx, Python, Joomla, WordPress, and Node.js, have all been found to be vulnerable.
CVE-2023-4863 has not gone unnoticed, with independent discoveries by both the Citizen Lab and Apple’s Security Engineering and Architecture (SEAR) team. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has issued critical alerts, highlighting ongoing exploitation by unidentified threat actors and emphasizing the immediate danger it poses.
Communication Challenges
A notable aspect of this discovery is the initial miscommunication between Google and Apple concerning the affected products. This misalignment inadvertently provided threat actors with extra time and created a significant blind spot for zero-day hunters. Despite both companies relying on the libwebp library, they initially believed the vulnerability impacted different software.
The Connection to Pegasus Software
In an alarming twist, researchers have uncovered a link between CVE-2023-4863 and another vulnerability, CVE-2023-41064. The latter was previously exploited as part of the BLASTPASS exploit chain, which was responsible for deploying the notorious NSO Group’s Pegasus spyware onto targeted mobile devices. This connection adds another layer of concern to the significance and potential consequences of the libwebp library vulnerability.
