Libwebp: Special Vulnerability Advisory (CVE-2023-4863)
October 2, 2023
In-depth analysis of a recently discovered vulnerability in the libwebp library that has not only shocked the security community but also warrants immediate action.
Safety’s Cybersecurity Intelligence team relentlessly pursues an understanding of all disclosed Common Vulnerabilities and Exposures (CVEs), while simultaneously performing research for undisclosed security flaws and malicious software packages.
In this post, we bring you an in-depth analysis of a recently discovered vulnerability in the libwebp library that has not only shocked the security community but also warrants immediate action.
We will update this advisory as more information becomes available.
While a 0-day vulnerability affecting the Chrome web browser garnered some attention a few weeks ago, research indicates that its implications and potential reach are far more extensive than initially understood.
The root of this vulnerability lies in the libwebp library, used for encoding and decoding the WebP image format. The specific point of failure is a heap buffer overflow within the Huffman coding algorithm, a mechanism employed for lossless image compression in WebP. Versions of libwebp 0.5.0 - 1.3.1 are impacted.
What is Heap Buffer Overflow
A heap buffer overflow occurs when more data is written to a block of allocated memory (a heap) than it can hold, causing adjacent memory blocks to be overwritten. This could lead to arbitrary code execution, enabling an attacker to manipulate the application or even the system it runs on.
With the crafting of malicious WebP images, malefactors could coerce users into opening these rigged files, thereby exploiting the bug to execute arbitrary code and steal sensitive data.
Given that libwebp has evolved into a de facto standard library for handling WebP files, the scope of affected services is astonishingly broad, including but not limited to:
Popular web browsers: Firefox, Chrome, Safari, Edge
Content Management Systems (CMS)
Email service providers
Mainstream desktop applications: Slack, Electron, 1Password, Microsoft Teams, among others.
Cyber Warfare Implication
Previously, Rezilion reported that the exploitation of a buffer overflow vulnerability in Apple’s ImageI/O framework (CVE-2023-41064) and the one affecting libwebp, are the same flaw. The first was part of the BLASTPASS Exploit Chain, a pair of flaws (with CVE-2023-41061) that were capable of compromising iPhones running the then-latest version of iOS (16.6) without any interaction from the victim, and which were found to be used in the wild to deliver NSO Group’s Pegasus mercenary spyware. Alarmingly, it is believed that this new vulnerability, CVE-2023-4863, could be used to achieve similar objectives.
Since Android's BitmapFactory—a facility similar to Apple's ImageI/O—supports libwebp, Android-based applications such as Signal and WhatsApp could also be compromised. While no weaponized exploit code has been discovered yet, public PoCs and technical descriptions are available, allowing for potential weaponization.
Determining If a Libwebp Binary Is Vulnerable
Libwebp version 0.5.0 added WebPCopyPlane export function. Version 1.3.2 (the security fix) introduced the function VP8LHuffmanTablesAllocate. If the binary file we want to analyze hasn’t been stripped, we can use this knowledge to fingerprint it and know if it is affected by this security flaw. For example:
Recommendation: Urgent Call to Action
Given the looming threat and potential for extensive damage, we urgently recommend that all developers apply the necessary patches in accordance with vendor guidelines.
Similar to the infamous log4j vulnerability of 2021, libwebp is a deeply embedded dependency across a multitude of popular services, making immediate remediation crucial.
It should be noted that all dependencies of the top packages (like pillow) may be transitively affected. To ensure visibility of such transitive vulnerabilities, we recommend performing regular scans using Safety CLI.
Safety’s Cybersecurity Intelligence team remains committed to vigilance in the face of ever-evolving cybersecurity threats and will update this advisory as more information becomes available.
For more information on Safety Cybersecurity, or to contact us regarding the content in this advisory, please email firstname.lastname@example.org.