LibWebP, the New Log4j

CVE-2023–4863 Critical CVSS Score 10.0

UPDATE: CVE-2023–5129 has now been rejected and instead is being referred to as its predecessor only, CVE-2023–4863

Originally on Medium: https://medium.com/@penquestr/libwebp-the-new-log4j-3e932b35bdcb

Background

Google has acknowledged a new and severe security flaw in the libwebp image library, which handles the rendering of WebP format images. This vulnerability, identified as CVE-2023–5129, has received the maximum severity score of 10.0 on the CVSS rating scale. The flaw arises from an issue in the Huffman coding algorithm which, with a specially crafted WebP lossless file, can lead to out-of-bounds data writing to the heap. The ReadHuffmanCodes() function and the ReplicateValue area are particularly impacted by this flaw.

This recent development follows after a similar bug was addressed by Apple, Google, and Mozilla, labeled under CVE codes CVE-2023–41064 and CVE-2023–4863. These bugs could lead to arbitrary code execution when dealing with a maliciously crafted image. Both vulnerabilities are believed to be related to the same core problem in the libwebp library. Citizen Lab reports that CVE-2023–41064 was used as part of a zero-click iMessage exploit chain called BLASTPASS to deploy the notorious Pegasus spyware. Further details are still pending.

Interestingly, while CVE-2023–4863 was previously reported as an issue affecting Google Chrome alone, further investigation reveals its impact to be much more widespread (this is now more of a moot point as 4863 has come back to replace 5129). Any application relying on the libwebp library to handle WebP images is potentially vulnerable. Rezillion’s recent analysis disclosed a multitude of widely used applications, libraries, frameworks, and operating systems that could be affected by CVE-2023–4863. They emphasized the efficiency of libwebp in comparison to JPEG and PNG in terms of size and speed. Given its widespread adoption, this vulnerability presents significant concerns for users and organizations alike.

As a part of their response, Google has expanded its fix for CVE-2023–4863 to include both the Stable channel for ChromeOS and ChromeOS Flex with the latest version release.

Comparison with the Log4j/Log4Shell Incident:

The described vulnerability in the libwebp image library draws parallels to the widely-publicized Log4j/Log4Shell incident from late 2021. Here’s how the two are reminiscent of each other:

1. Widespread Usage: Much like the Log4j library, which was integral to many Java-based applications, the libwebp library is foundational for rendering WebP format images. Its ubiquity amplifies the risk, as a significant portion of software in circulation could be affected.

2. High Severity Scores: Both vulnerabilities were designated with high severity scores on the CVSS scale. The Log4j flaw, known as CVE-2021–44228 or “Log4Shell”, was similarly given a score of 10.0, reflecting its critical nature.

3. Broad Attack Surface: Just as the Log4j vulnerability allowed attackers to remotely execute arbitrary code on vulnerable servers, the flaw in libwebp permits maliciously crafted files to write data out of bounds. The repercussions can be profound, potentially leading to unauthorized access, data breaches, and other malicious activities.

4. Misconceptions about Affected Platforms: In both cases, initial reports underestimated the extent of the vulnerability’s reach. For CVE-2023–4863, it was initially assumed to affect only Google Chrome, but later it was found to have a more universal impact. Similarly, with Log4Shell, while initial attention was on its implications for web services, it soon became apparent that numerous types of software, were at risk.

5. Rapid Exploitation: Both vulnerabilities saw swift exploitation following their public disclosure. In the case of Log4Shell, malicious actors were quick to launch attacks, scanning and targeting vulnerable servers within hours. It’s implied that CVE-2023–5129 and related flaws have already been exploited in the wild, as indicated by the BLASTPASS chain using the Pegasus spyware.

6. Post-Discovery Action: The aftermath of the discovery of both vulnerabilities saw a rush in the tech community to patch affected systems and software. This response highlights the urgency with which organizations, developers, and vendors treat such high-severity security flaws.

In essence, the libwebp vulnerability shares the hallmarks of the Log4j/Log4Shell incident. Don’t be surprised if the list of affected software grows.

Complete List of Affected Software (will keep this up to date)

• 1Password
• Adobe Photoshop
• balenaEtcher
• Basecamp 3
• Beaker (web browser)
• Bitwarden
• CrashPlan
• Cryptocat (discontinued)
• Discord
• Eclipse Theia
• FreeTube
• GitHub Desktop
• GitKraken
• Joplin
• Keybase
• Lbry
• Light Table
• Logitech Options +
• LosslessCut
• Mattermost
• Microsoft Teams
• MongoDB Compass
• Mullvad
• Notion
• Obsidian
• QQ (for macOS)
• Quasar Framework
• Shift
• Signal
• Skype
• Slack
• Symphony Chat
• Tabby
• Termius
• TIDAL
• Twitch
• Visual Studio Code
• WebTorrent
• Wire
• Yammer

Browsers and Software Updated with Patches for CVE-2023–4863:

• Google Chrome:
• — Mac and Linux: 116.0.5845.187
• — Windows: 116.0.5845.187/.188
• Mozilla:
• — Firefox: 117.0.1
• — Firefox ESR: 115.2.1, 102.15.1
• — Thunderbird: 102.15.1, 115.2.2
• Brave Browser: 1.57.64 (Chromium: 116.0.5845.188)
• Microsoft Edge: 109.0.1518.140, 116.0.1938.81, 117.0.2045.31
• Tor Browser: 12.5.4
• Opera: 102.0.4880.46
• Vivaldi: 6.2.3105.47
• Bitwarden- patched in 2023.8.4
• Zulip Server: 7.4
• Electron: 22.3.24, 24.8.3, 25.8.1, 26.2.1, 27.0.0-beta.2
• Xplan: 23.9.289
• Signal-Desktop: 6.30.2
• Honeyview: 5.51
• Slack (patched)
• 1Password (patched)
• Telegram (patched)

Operating Systems with Updates or Partial Fixes for CVE-2023–4863:

• Debian: Partial security fixes for chromium, firefox, firefox-esr, libwebp, thunderbird.
• Ubuntu: Partial security fixes for chromium-browser, libwebp, firefox, thunderbird, mozjs.
• Alpine: Security fixes for chromium, libwebp, qt5-qtimageformats, firefox-esr.
• Gentoo: Media-libs/libwebp version 1.3.1_p20230908.
• RedHat: RHSA fixes for Mozilla Thunderbird, Mozilla Firefox, libwebp.
• SUSE: SUSE-SU and openSUSE-SU fixes for Mozilla Firefox, Mozilla Thunderbird, libwebp, chromium packages.
• Oracle: ELSA fixes for Mozilla Firefox and Mozilla Thunderbird.
• Amazon Linux: Pending fixes for their AMI images.
• MacOS/ IpadOS: (No info at this time, but confirmed affected)

Github Repo Including over 700 Applications

https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec        

Technical Recommendations for Addressing LibWebP (Some of these are intrusive to operations)

1. Disable WebP at Firewall Level:

• Configuration: Modify firewall rules to block both inbound and outbound files with a .webp extension.
• Validation: Regularly test firewall configurations to ensure the blocking is effective and no WebP files can penetrate the network.

2. Intrusion Detection & Prevention:

• Signature Updates: Ensure that your intrusion detection systems (IDS) and intrusion prevention systems (IPS) are updated with signatures related to the libwebp vulnerabilities.
• Traffic Analysis: Monitor network traffic for unusual patterns or spikes related to image file transfers which might indicate attempted exploits.

3. Web Content Filtering:

• Filter Configuration: Set up web content filters to block or alert on attempts to download WebP images from untrusted or unrecognized sources.
• Logging: Enable detailed logging for image file downloads, focusing on WebP format to trace any unexpected sources or high-frequency requests.

4. Network Segmentation:

• Isolate Sensitive Systems: Consider isolating systems that heavily rely on image processing in a segmented network zone, reducing potential exposure.
• Access Controls: Implement strict access controls to systems that process WebP images, ensuring only necessary applications and users can interact with them.

5. Patch Management:

• Automate Scans: Use automated tools to scan your infrastructure for software reliant on the libwebp library, ensuring no instances are missed.
• Scheduled Updates: Once patches become available, deploy them in a staged manner, starting with high-priority systems, and then cascading to others.

6. Endpoint Protection:

• File Monitoring: Configure endpoint protection platforms to monitor and alert on unexpected WebP file manipulations or executions.
• Sandboxing: For critical systems, consider sandboxing applications that process WebP images, so even if an exploit occurs, its impact is limited.

7. Secure Configurations:

• Disable WebP Processing: Wherever feasible, disable WebP processing capabilities in applications until patches are applied.
• Alternative Libraries: If your applications allow, consider temporarily switching to alternative image processing libraries that are not affected by the vulnerability.

Basic Guide for Affected Organizations:

1. 1. Awareness and Communication:

• Immediate Notification: Alert all stakeholders about the specific vulnerabilities related to the libwebp library, particularly CVE-2023–5129 and CVE-2023–4863.
• Safety Measures: Caution all employees and users against downloading or opening WebP format images, especially from untrusted sources.

2. Software Inventory:

• Detailed Scanning: Examine your software and applications inventory to check for any that use the Electron framework or directly utilize the libwebp library.
• Documentation: Create a prioritized list of all detected vulnerable applications, libraries, and systems.

3. Patching:

• Update Checks: Regularly look for available patches or security updates specifically addressing the libwebp vulnerabilities.
• Prioritization: Focus first on patching mission-critical software or systems that frequently handle WebP images.
• Test Before Deployment: Implement patches in a test environment to verify they don’t introduce new issues before a wider roll-out.

4. Monitoring and Reporting:

• Vigilance: Keep an eye on systems and network traffic for signs of exploitation attempts targeting the libwebp vulnerabilities.
• Incident Reporting: Set up a streamlined process for team members to notify the security team of any potential security breaches or unusual software behaviors.

5. Backup:

• Routine Backups: Ensure data backups occur regularly, especially for systems that handle or process WebP images.
• Secure Storage: Validate that backups are not only stored securely but are also readily accessible for a quick recovery.

6. Educate & Train:

• Reiterate Reporting: Stress the necessity of timely reporting for any suspicious or unexpected software activity, especially related to image processing.

7. Stay Informed:

• Stay Updated: Continuously monitor for new developments, patches, or advisories linked to the libwebp vulnerabilities.
• Collaborate: Engage in security forums and communities discussing the libwebp vulnerabilities to gain insights and adopt best practices.