On September 11th, 2023, Google published an update for Chrome that fixed CVE-2023-4863, “Heap Buffer Overflow Vulnerability in WebP.” Firefox was also added to this CVE.
This vulnerability appears to be similar to an earlier Apple vulnerability (CVE-2023-41064). Both vulnerabilities are zero-click (that is, they require no user interaction) exploits in processing images, which is a class of vulnerability that is very dangerous in desktop applications.
On September 25th, Google published a new CVE, CVE-2023-5159, which covered libwebp, a library used for processing Google’s WebP image format. Confusingly, Google then rejected their own, new CVE as a duplicate of CVE-2023-4863 and added libwebp (all versions before 1.3.2) to the original CVE. While this muddied the waters a bit, we’re left with the clear indication that it’s not only browsers that are affected but anything that uses the libwebp library.
What is libwebp?
WebP is an image format that Google designed as an open format for images that could, potentially, replace the older JPEG, PNG, and GIF formats. The libwebp library is a codec (that is, it enCOdes and DECodes the WebP format) that enables developers to integrate WebP into browsers, image editors, and other applications. It is widely used in applications and services that display and process images.
What is the Risk to Cloud Assets?
The primary risk from CVE-2023-4863 is through interactive browsing – this is where sources have publicly acknowledged active exploitation. While use of browsers such as Chrome and Firefox on cloud virtual machines is rare, it does happen. Additionally, automation that makes use of browser automation platforms like Selenium may be impacted. The codec is also used in the Electron UI framework so many other interactive applications may be impacted.
However, because libwebp use is ubiquitous in code that works with a variety of images, it’s possible that any application or service that processes images may be impacted if it uses libwebp, particularly if it processes images from untrusted sources.
How Do We Find Affected Assets?
Orca customers can use the Orca Cloud Security Platform to identify workloads that contain a vulnerable version of libwebp via Discovery or the Vulnerabilities Security View.
How Do We Respond?
As of now, there are no available mitigations. Update libwebp and any applications or services that use a vulnerable version. You can request a cloud security risk assessment to see if your organization has been impacted by this critical vulnerability.
Questions? Reach out via the Contact Us form, or contact your representative if you’re a current customer.