Critical vulnerabilities in libwebp (WebP) library

Critical vulnerabilities in libwebp (WebP) library

A recently identified vulnerability within the web application library (libwebp) has the potential to lead to RCE (Remote Code Execution) when exploited and can allow hackers to run malicious code in your system. This vulnerability is specifically a heap-based buffer overflow issue found within the libwebp library, which serves the purpose of decoding and encoding WebP image files.

Libwebp is a popular open-source library that's used for rendering WebP images. Because many apps use the libwebp library to handle WebP images, popular applications like Chrome, Microsoft Edge, Safari, Adobe Photoshop, Slack, Discord, and WhatsApp are all at risk due to these vulnerabilities. Now, it is believed the Libwebp bug can cause a lot of trouble across different software just like Log4j case.

What is libwebp?

Libwebp is an open-source library developed by Google for encoding and decoding images in the Webp image format. It's utilized by a range of software applications. This includes popular web browsers like Chrome, Microsoft Edge, Safari, and Mozilla Firefox and many more apps. Not stopping there, it's also a favorite among image editors, Content Delivery Networks (CDNs), and a host of websites and online services.

WebP Vulnerabilities : This is a case of a heap buffer overflow in the WebP image format used by Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2. It allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. This vulnerability can affect applications utilizing the WebP Codec, which both encodes and decodes the WebP format.

The CVE numbering authority initially assigned CVE-2023-5129 to track this vulnerability. However, to avoid confusion, they later rejected this CVE designation on September 27. As a result, CVE-2023-4863 is the only way to identify and track the vulnerability.

Which applications could be impacted?

Numerous applications using WebP image handling via libwebp may face potential impact. Popular examples include:

  • Google Chrome
  • Microsoft Edge
  • Safari
  • Slack
  • Discord
  • GitHub Desktop
  • Mozilla FireFox
  • 1Password
  • balenaEtcher
  • Basecamp 3
  • Beaker (web browser)
  • Bitwarden
  • CrashPlan
  • Cryptocat (discontinued)
  • Eclipse Theia
  • FreeTube
  • GitKraken
  • Joplin
  • Keybase
  • Lbry
  • Light Table
  • Logitech Options+
  • LosslessCut
  • Mattermost
  • Microsoft Teams

Such exploits have broader societal implications, and the extent of the damage remains uncertain. Android is still vulnerable to the issue, which could lead to remote exploits on apps like Signal and WhatsApp.  

Security expert Michael Taggart continually updates a list of apps to determine whether they are vulnerable to: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec

Recommendation 

  • Follow to guidance provided by the vendor for mitigation, patching, and updates
  • Upgrade all libwebp-utilizing applications to at least version 1.3.2

References: bleepingcomputer and NIST

-------------------------------------------------------------------------------------------------------------

🛡 I-SECURE  1st Managed Security Service Provider (MSSP) in Thailand

บริษัท ไอ-ซีเคียว จำกัด มีทีมผู้เชี่ยวชาญด้านการรับมือภัยคุกคามไซเบอร์ ที่มีประสบการณ์มากกว่า 16 ปี

เรามุ่งมั่นที่จะเป็นที่หนึ่งในด้านการดูแลและเป็นที่ปรึกษาทางด้านไซเบอร์ซีเคียวริตี้ เพื่อส่งมอบบริการและโซลูชั่นที่ดีที่สุดในระดับมาตรฐานสากลให้กับลูกค้า

สนใจรับบริการทางด้าน Cybersecurity สามารถติดต่อเราได้ทุกช่องทาง

☎️ 02-615-7005

👩🏻‍💻 marketing@i-secure.co.th

🌎https://www.i-secure.co.th/

#CyberSecurityNews #cybersecurity