Google has assigned a new Common Vulnerabilities and Exposures (CVE) ID, CVE-2023-5129, to a critical security vulnerability in the open-source libwebp library. This vulnerability was initially disclosed as a Chrome weakness (CVE-2023-4863) but has now been reclassified as a libwebp flaw with a maximum severity rating of 10/10. The vulnerability, which involves a heap buffer overflow in the WebP format, affects Google Chrome versions preceding 116.0.5845.187. It poses a significant risk to user data security and impacts various projects that utilize the libwebp library, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers.
Details:
- CVE ID: CVE-2023-5129
- Severity: Critical (10/10)
- Vulnerability Type: Heap Buffer Overflow
- Affected Software: Google Chrome (pre-116.0.5845.187) and projects using libwebp.
- Exploitation: This vulnerability resides within the Huffman coding algorithm used by libwebp for lossless compression and it enables attackers to execute out-of-bounds memory writes using maliciously crafted HTML pages.
- Consequences: Possible crashes, arbitrary code execution, and unauthorized access to sensitive information.
Timeline:
- The vulnerability was jointly reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School on September 6.
- Google addressed the issue in less than a week.
- Initially categorized as a Chrome bug (CVE-2023-4863), the decision caused confusion in the cybersecurity community.
Implications:
The reclassification of CVE-2023-5129 as a libwebp vulnerability highlights its significance for various projects using the libwebp open-source library. Security researchers, including Ben Hawkes, have linked it to CVE-2023-41064, exploited as part of a zero-click iMessage exploit chain known as BLASTPASS, leading to infections with NSO Group’s Pegasus commercial spyware.
Recommendations:
- Update Software: Users and organizations should update Google Chrome to versions 116.0.5845.187 or later to mitigate the risk. Organizations should proceed in updating also other software used internally that uses the libwebp library.
- Library Users: Developers of software using the libwebp library should review their code for potential vulnerabilities and update to patched versions as they become available.
The SOC teams of OBRELA remain vigilant and are closely monitoring clients’ infrastructure regarding potential exploitation attempts.
References:
- https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html
- https://therecord.media/libwebp-vulnerability-more-widespread-than-expected
- https://securityaffairs.com/151576/hacking/cve-2023-5129-libwebp-flaw.html
- https://www.pcworld.com/article/2083926/highest-alert-level-security-vulnerability-affects-apps-like-telegram-and-1password.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-5129
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863