Webmproject, a popular media file format, has been experiencing hardships in security. Two of its libraries, libwebp and libvpx, have been found to contain zero-day vulnerabilities that affect multiple commonly used software products, such as Chrome, Edge, Tor, Telegram, and more! The two notorious vulnerabilities have been christened CVE-2023-4863 and CVE-2023-5217.
Patches for both vulnerabilities are available, as detailed in the solutions section.
What are these vulnerabilities?
CVE-2023-4863 (11th September 2023) and CVE-2023-5217 (29th September 2023) are critical vulnerabilities with so much in common that it’s surprising that they have different IDs. Both are heap buffer overflow vulnerabilities with a CVSS score of 8.8, with crafted HTML pages as attack vectors. Google first reported them, mistakenly thought to be only within Chrome, before their presence was discovered within webmproject libraries ‘libwebp’ and ‘libvpx’, respectively.
What makes these vulnerabilities so dangerous is that they affect every single application that relies on the libwebp and libvpx packages. Google has also stated in their security advisories for these CVEs that they are aware of exploits existing in the wild!
Interestingly, on 26th September 2023, Google assigned another CVE ID to the libwebp vulnerability – CVE-2023-5129 – categorizing it as a Chrome vulnerability rather than one in libwebp. This CVE ID was later marked as a reject by MITRE due to it being a duplicate of CVE-2023-4863. The existing records for both CVEs still cite them as Google Chrome vulnerabilities, but don’t let that confuse you.
Technical Details
CVE-2023-4863 is a heap buffer vulnerability in libwebp that allows an out-of-bounds memory write. The cause of this vulnerability was a bug in the “BuildHuffmanTable” function. Huffman coding is a popular greedy algorithm used for data compression. It works by assigning shorter bit sequences to the most frequently occurring symbols in a message and longer bit sequences to the less frequent ones.
Webp uses Huffman coding to ensure lossless compression (VP8L) so that each pixel in an image can be stored and restored perfectly. The vulnerable code used lookup tables to handle this, with information about bits and their values.
Memory allocation for the buffer was done using pre-calculated sizes stored in an array. However, the array did not handle sizes for second-level table lookups, which meant that if the number of bits used by BuildHuffmanTable to fill second-level tables were too large, an overflow would be triggered. A detailed exploit was written by Ben Hawkes here.
According to Hawkes, the patch for this vulnerability involves having BuildHuffmanTable return 0 for any invalid input that would have triggered the overflow.
Security experts say CVE-2023-4863 is similar to an older vulnerability (CVE-2023-41064). Citizen Lab first discovered CVE-2023-41064 in an exploit chain dubbed “BLASTPASS”, used to deploy NSO group’s Pegasus spyware via iMessage. This CVE involves a buffer overflow in ImageIO, Apple’s image parsing framework, which began supporting webp files just before the vulnerability was found. It is believed that CVE-2023-4863 and CVE-2023-41064 are both caused by the same bug.
As for CVE-2023-5217, another heap buffer vulnerability found in libvpx, the only known information is that the vulnerability arises from the VP8 media stream. Despite Google’s warning that they are present in the wild, no exploits are publicly available.
Affected Products
Disclaimer: This may not be a complete list of the products affected by CVE-2023-4863 and CVE-2023-5217.
- Browsers: Chrome, Edge, Brave, Tor, Opera, Firefox, Safari, Vivaldi
- Messaging apps: Signal, Telegram, Teams, Skype, Telegram
- Linux distributions: Alpine, Debian, Gentoo, Oracle, Red Hat, SUSE, Ubuntu
- Linux packages depending on libvpx (only CVE-2023-5217): avidemux-cli, ffmpeg (requires libvpx.so), ffmpeg4.4 (requires libvpx.so), gst-plugins-good, handbrake, handbrake-cli, lib32-libvpx, mencoder, mplayer, qt5-webengine, qt6-webengine, qt6-webengine, shotcut, thunderbird, toxcore, virtualbox, xpra, av1an (optional), baresip (optional), vlc (optional), avidemux (make), baresip (make), gstreamer (make), handbrake (make), mplayer (make), ovenmediaengine (make), virtualbox (make), vlc (make)
- Linux packages depending on libwebp (only CVE-2023-4863): allegro, chafa, chromium, efl, electron22, electron23, electron24, electron25, emacs (requires libwebp.so), emacs-nativecomp (requires libwebpdemux.so), emacs-wayland (requires libwebp.so), emby-server, fbida, ffmpeg, ffmpeg4.4, freeimage, gd, gegl, gimp, godot, gogglesmm, graphicsmagick, gst-plugins-bad, gthumb, krita, krita, leptonica, lib32-libwebp, libreoffice-fresh, libreoffice-still, libvips, maim, mapnik, matrix-synapse, motion, netsurf, opencv (staging), opencv-cuda (staging), openimageio, qt5-imageformats, qt6-imageformats, qt6-imageformats, sdl2_image, skia-sharp, swayimg (requires libwebp.so), thunderbird (requires libwebpdemux.so), waifu2x-ncnn-vulkan, webkit2gtk, webkit2gtk (testing), webkit2gtk-4.1, webkit2gtk-4.1 (testing), webkitgtk-6.0, webkitgtk-6.0 (testing), webp-pixbuf-loader, weston, wpewebkit, gdal (optional), imagemagick (optional), imlib2 (optional), nikola (optional), pqiv (optional), python-pillow (optional), darktable (make), gdal (make), geeqie (make), imagemagick (make), imlib2 (make), libreoffice-fresh (make), libreoffice-still (make), pqiv (make), python-gdal (make), python-pillow (make), nikola (check), python-piexif (check)
Impact
As seen above, the number of products affected by these vulnerabilities is immense, and most systems worldwide have at least one of these products installed! Moreover, a heap overflow vulnerability is quite dangerous. It allows an attacker to crash applications, execute remote code, take control of a system, access confidential data, and even install malicious software.
According to their tags upon disclosure, both vulnerabilities have already been exploited in spyware attacks. There is no information on these attacks available to the public. However, if the BLASTPASS theory is correct, it will be the only known exploit of the libwebp vulnerability.
Solutions
Microsoft, Google, and many other affected products have already released patches for these vulnerabilities! The first thing to do is update whichever software you think might be vulnerable. The list of products affected by these CVEs is long, so you might want to use a tool to do the job.
SecPod SanerNow has a Vulnerability Management product, which you can use to detect potential vulnerabilities in your software, and a Patch Management product, which will patch the software for you. With these tools, menacing CVEs such as the ones in this blog can be easily found and patched with minimal effort.