DVD Networks now scans and identifies CVE-2023-4863, a critical vulnerability affecting the libwebp library with potentially severe implications for multiple applications, browsers, and operating systems. As disclosed, the vulnerability is considered to be on par with Log4j; in other words, far more serious and widespread than originally thought.
Our team is working diligently to help our customers identify and patch applications associated with this zero-day vulnerability. We are also actively expanding our scanning for more impacted software.
The Uncovering of CVE-2023-4863 in ‘libwebp’
Initial Disclosure
Two weeks ago, Google issued a security advisory for a critical vulnerability in the libwebp library, which is used to render WebP images. Initially disclosed as affecting only Chrome, the advisory proved to be too limited. As other major browsers began issuing notices, it became clear the impact was far-reaching, including any code that uses the libwebp library which means millions of applications are now at risk.
Massive Attack Surface
Cybersecurity experts noted that the vulnerable library was found in several popular container images’ latest versions, collectively downloaded and deployed billions of times, such as Nginx, Python, Joomla, WordPress, Node.js, and more.
Heap Overflow
This so-called heap overflow vulnerability, tracked as CVE-2023-4863, essentially allows attackers to execute malicious code when users view a booby-trapped WebP image. To reflect the critical nature of this vulnerability, Google revised the designation to CVE-2023-5129 and assigned it the highest CVSS severity rating of 10 out of 10. (Side note: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority since it’s a duplicate of CVE-2023-4863)
More Discoveries and Warnings
Further complicating the situation, the vulnerability was independently discovered by both the Citizen Lab and Apple's Security Engineering and Architecture (SEAR) team. The Cybersecurity and Infrastructure Security Agency (CISA) also issued warnings about active exploitation by undisclosed threat actors, showing the immediate risk posed by this vulnerability.
Reporting Missteps
Notably, critics say the miscommunication between Google and Apple during the early stages of addressing the vulnerability gave threat actors more time and created a “huge blindspot” for zero-day hunters. Both companies initially understood the vulnerability to affect different products, despite both using the libwebp library.
Link to Pegasus Software
Additionally, researchers identified a connection between this vulnerability and another, CVE-2023-41064, which had been previously exploited by threat actors as part of the BLASTPASS exploit chain. This chain was used to deploy the NSO Group’s Pegasus spyware on targeted mobile devices, further elevating the significance and potential consequences of the libwebp library vulnerability.
DVD Networks Responds to WebP Vulnerability
In response, we immediately mobilized resources to help our customers promptly identify and patch applications associated with this vulnerability. Our team is vigorously testing and deploying patches for a wide range of applications and platforms.
Patching
Specifically, patches are tested for:
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- Bitwarden
- LibreOffice
- Suse
- Ubuntu
- LosslessCut
- NixOS - Nix package manager
- Tails Project
Application Scanning
We are also undertaking comprehensive scanning for potential vulnerabilities across a diverse range of applications, including CrashPlan, Cryptocat (discontinued), Discord, Eclipse Theia, FreeTube, GitHub Desktop, GitKraken, Joplin, Keybase, Lbry, Light Table, Logitech Options +, LosslessCut, Mattermost. Microsoft Teams. MongoDB Compass, Mullvad, Notion. Obsidian QQ (for macOS), Quasar Framework, Shift, Signal, Skype, Slack. Symphony Chat, Tabby, Termius, TIDAL, Twitch, Visual Studio Code, WebTorrent, Wire, Yammer.
Empowering Our Customers
We are committed to empowering our customers to safeguard themselves and their end users against rising cyber threats. Count on us to deliver the full breadth of proactive cybersecurity, including, for instance:
- Attack Surface Scanning: We perform external Deep Attack Surface Scans to identify and address vulnerabilities in digital infrastructure and enhance overall security.
- Active Threat Management: We provide enhanced protection with EPSS (Exploit Prediction Scoring System) against evolving cyber threats through proactive monitoring, detection, and response measures.
- Patch Management: We diligently test and push out patches for all affected applications, ensuring swift remediation. (A surprising number of high-profile breaches, such as MOVEit and LastPass, are the result of unpatched applications.)
- Real-Time Updates: We promptly share updates and advisories to keep our customers informed of evolving threats
Final Word
We are working tirelessly to mitigate the risks associated with this critical vulnerability and urge our customers to remain vigilant, stay informed, and adopt proactive measures to stay ahead of potential threats. Questions? Please contact us for more information Support@dvdnetworks.com
