Research

Libwebp: Special Vulnerability Advisory (CVE-2023-4863)

October 2, 2023
3 mins
In-depth analysis of a recently discovered vulnerability in the libwebp library that has not only shocked the security community but also warrants immediate action.

Executive Summary

Safety’s Cybersecurity Intelligence team relentlessly pursues an understanding of all disclosed Common Vulnerabilities and Exposures (CVEs), while simultaneously performing research for undisclosed security flaws and malicious software packages. 

In this post, we bring you an in-depth analysis of a recently discovered vulnerability in the libwebp library that has not only shocked the security community but also warrants immediate action.

Key Details

  • Article Last Updated: November 14, 2023
  • Affected Library: libwebp
  • CVE ID: CVE-2023-4863
  • Recommendation: update libwebp to v1.3.2

We will update this advisory as more information becomes available.

Overview

While a 0-day vulnerability affecting the Chrome web browser garnered some attention a few weeks ago, research indicates that its implications and potential reach are far more extensive than initially understood.

The root of this vulnerability lies in the libwebp library, used for encoding and decoding the WebP image format. The specific point of failure is a heap buffer overflow within the Huffman coding algorithm, a mechanism employed for lossless image compression in WebP. Versions of libwebp 0.5.0 - 1.3.1 are impacted.

What is Heap Buffer Overflow

A heap buffer overflow occurs when more data is written to a block of allocated memory (a heap) than it can hold, causing adjacent memory blocks to be overwritten. This could lead to arbitrary code execution, enabling an attacker to manipulate the application or even the system it runs on.

Exploitation Vector

With the crafting of malicious WebP images, malefactors could coerce users into opening these rigged files, thereby exploiting the bug to execute arbitrary code and steal sensitive data.

Potential Impact

Given that libwebp has evolved into a de facto standard library for handling WebP files, the scope of affected services is astonishingly broad, including but not limited to:

  • Popular web browsers: Firefox, Chrome, Safari, Edge
  • Containerization solutions
  • Content Management Systems (CMS)
  • Email service providers
  • Mainstream desktop applications: Slack, Electron, 1Password, Microsoft Teams, among others.

Cyber Warfare Implication

Previously, Rezilion reported that the exploitation of a buffer overflow vulnerability in Apple’s ImageI/O framework (CVE-2023-41064) and the one affecting libwebp, are the same flaw. The first was part of the BLASTPASS Exploit Chain, a pair of flaws (with CVE-2023-41061) that were capable of compromising iPhones running the then-latest version of iOS (16.6) without any interaction from the victim, and which were found to be used in the wild to deliver NSO Group’s Pegasus mercenary spyware. Alarmingly, it is believed that this new vulnerability, CVE-2023-4863, could be used to achieve similar objectives.

Since Android's BitmapFactory—a facility similar to Apple's ImageI/O—supports libwebp, Android-based applications such as Signal and WhatsApp could also be compromised. While no weaponized exploit code has been discovered yet, public PoCs and technical descriptions are available, allowing for potential weaponization.

Determining If a Libwebp Binary Is Vulnerable

Libwebp version 0.5.0 added WebPCopyPlane export function. Version 1.3.2 (the security fix) introduced the function VP8LHuffmanTablesAllocate. If the binary file we want to analyze hasn’t been stripped, we can use this knowledge to fingerprint it and know if it is affected by this security flaw. For example:

Example 1: Vulnerable
Example 2: Pillow 10.0.1 includes a patched binary

Recommendation: Urgent Call to Action

Given the looming threat and potential for extensive damage, we urgently recommend that all developers apply the necessary patches in accordance with vendor guidelines.

Similar to the infamous log4j vulnerability of 2021, libwebp is a deeply embedded dependency across a multitude of popular services, making immediate remediation crucial.

Known Affected PyPI Packages: 

FIXED:

Package Downloads/month Status Affected Versions Resources Vuln ID
Pillow 59,000,000 FIXED >=2.5.0,<10.0.1 Patch Notes 61489
Opencv-python 11,067,000 FIXED >=3.4.9.31, >=4.8.1.78 (macosx wheels only) Release Notes 62308
Opencv-python-headless 9,020,000 FIXED >=3.4.9.31, >=4.8.1.78 (macosx wheels only) Release Notes 62309
Pyproj 8,266,000 FIXED >=2.6.1,<3.6.1 (macosx wheels only) - 62312
Rasterio 1,670,000 FIXED >=1.0a1,<1.3.8post1 Issue Tracker 61489
Opencv-contrib-python 1,503,000 FIXED >=3.4.9.31,<4.8.1.78 (macosx wheels only) Release Notes 62310
Pygame 775,000 FIXED <2.5.2 Patch Notes 61494
Openxlab 297,000 FIXED >=0.0.13,<0.0.24 - 62313
Opencv-contrib-python-headless 189,000 FIXED >=3.4.9.31,<4.8.1.78 (macosx wheels only) Release Notes 62311
Decord 147,000 FIXED >=0.3.7,<0.4.0 (macosx wheels only) - 62314
Kivy 117,000 FIXED >=1.11.0rc1,<=2.1.0 (manylinux wheels only) - 62315
Imagecodecs 115,000 FIXED >=2019.12.31,<2023.9.18 (macosx wheels only) Patch Notes 61496
Tesserocr 58,000 FIXED ==2.6.1 (macosx wheels only) - 62314
Ffpyplayer 16,500 FIXED >=4.2.0,<=4.3.2 (macosx wheels only) - 62317
Pygame-ce 16,000 FIXED <2.4.0.dev2 Fix Commmit 61918
Pywry 10,400 FIXED <0.6.2 Fix PR 61928
Dlib-bin 8,000 FIXED >=19.24.0,<=19.24.1 (macosx wheels only) - 62318
Gphoto2 3,700 FIXED >=2.3.0,<2.4.0 (macosx wheels only) - 62319
Openvisus 3,200 FIXED >=1.2.85,<1.2.178 (macosx wheels only) - 62320
Robomaster 1,000 FIXED ==0.1.1.44,==0.1.1.61 (macosx wheels only) - 62321
Webp 33 FIXED <0.3.0 Advisory 61640

NOT FIXED:

Package Downloads/month Status Affected Versions Resources Vuln ID
Kivy-deps.sdl2 147,000 NOT FIXED <=0.6.0 - 61495
Pycolmap 12,800 NOT FIXED >=0.2.0,<=0.4.0 - 61942
Webptools 6,200 NOT FIXED <=0.0.9 (macosx wheels only) - 61583
Imread 1,300 NOT FIXED >=0.6,<=0.7.4 - 62301
Waifu2x-ncnn-vulkan-python 1,250 NOT FIXED <=1.0.4 - 62302
Realsr-ncnn-vulkan-python 1,250 NOT FIXED >=1.0.1,<=1.0.6 - 62303
Rife-ncnn-vulkan-python 1,100 NOT FIXED <=1.2.1 - 62304
Srmd-ncnn-vulkan-python 1,100 NOT FIXED >=1.0.0,<=1.0.2 - 62305
Realcugan-ncnn-vulkan-python 1,050 NOT FIXED <0=1.0.2 - 62306
Trialtracker 20 NOT FIXED <=0.1.7 - 62307

It should be noted that all dependencies of the top packages (like pillow) may be transitively affected. To ensure visibility of such transitive vulnerabilities, we recommend performing regular scans using Safety CLI.

Safety’s Cybersecurity Intelligence team remains committed to vigilance in the face of ever-evolving cybersecurity threats and will update this advisory as more information becomes available.

For more information on Safety Cybersecurity, or to contact us regarding the content in this advisory, please email info@safetycli.com

All posts
Research

Reduce vulnerability noise by 90%.
Get a demo today to learn more.

Get a Demo

Related Research Posts

cURL Vulnerability CVE-2023-38545 for Python Systems
Research
October 10, 2023
Read more
Beyond Python: ReDoS Vulnerability in Git-url-parse (Part 3)
Research
July 19, 2023
Read more
Safety Discovers ReDoS Vulnerabilities in Top Python Packages (Part 2)
Research
July 17, 2023
Read more