As some of you may be aware a new zero day flaw has been identified in the libwebp library, a library used in virtually millions of applications.
The Vulnerability has been published with a 10.0 base score.
The Vulnerability and what we know
This is an emerging vulnerability and this advisory provides the information we know at present. We expect that this situation will remain very fluid. We are asking our customers and partners to be aware of the vulnerability and providing information to enable us all to get on the front foot.
However there are a number of key takeouts:
- This is going to have a large impact, unfortunately quite quickly.
- The scope of vulnerable software is not really known at this point.
- This is already being exploited in the wild!
Originally reported by Apple and Citizen Lab and tracked as CVE-2023-4863 specific to Google Chrome, the vulnerability has since been reclassified as CVE-2023-5129 and correctly attributed as a flaw in libwebp with a maximum 10/10 severity rating.
This vulnerability could impact a large swath of Android devices (consider your assets such as TVs and other IOT devices running an Android OS).
How is exploitation undertaken?
By crafting malicious WebP images and having victims open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data.
Impacted applications
Known impacted applications
On top of the potential for Android devices to be impacted, please take a note of the following.
The list of impacted applications is currently indicative, however the following application use WebP codec:
- 1Password
- balenaEtcher
- Basecamp 3
- Beaker (web browser)
- Bitwarden
- CrashPlan
- Cryptocat (discontinued)
- Discord
- Eclipse Theia
- FreeTube
- GitHub Desktop
- GitKraken
- Joplin
- Keybase
- Lbry
- Light Table
- Logitech Options +
- LosslessCut
- Mattermost
- Microsoft Teams
- MongoDB Compass
- Mullvad
- Notion
- Obsidian
- QQ (for macOS)
- Quasar Framework
- Shift
- Signal
- Skype
- Slack
- Symphony Chat
- Tabby
- Termius
- TIDAL
- Twitch
- Visual Studio Code
- WebTorrent
- Wire
- Yammer
Patches
A number of vendors have released patches as follows:
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- 1Password — version 8.10.15
- Bitwarden
- LibreOffice
- Suse
- Ubuntu
- LosslessCut
- NixOS – Nix package manager
Patching Strategy
At this stage, given information at hand, we would suggest the following approach to patching:
- If any of the above Password managers are in use, patch immediately.
- Patch the “low hanging fruit” (i.e. Web browsers) on critical assets that house a sensitive dataset.
- Patch the “low hanging fruit” (i.e. Web browsers) on user assets whereby the user has access to workloads that access sensitive or personal (PII) data.
- Where a patch is available for the widely used applications, ensure that these are prioritised for patching.
Mitigation Strategy
In relation to the Android devices, where possible ensure that browsers are not used until Android releases a patch (which will hopefully be in quick time).
Please note that Secure-ISS wanted to get this out as soon as possible however further guidance will be forthcoming on other impacted software and their mitigations.
Threat Hunting and Vulnerability Assessment activities
Our team are currently working with our vulnerability assessment customers to identify these vulnerabilities and work on a tailored patching regime.
We are also working on identifying impacted applications via other tools for non Vulnerability assessment customers.
