Google has identified a critical security vulnerability within the libwebp image library, which plays a crucial role in rendering WebP format images. This vulnerability, known as CVE-2023–5129, has been assigned the highest severity rating of 10.0 on the CVSS rating scale. Libwebp has recently garnered significant attention in a manner reminiscent of the new Log4j vulnerability. This Cybersecurity Threat Advisory is issued due to its widespread usage, the gravity of the security risks it poses, its expansive attack surface, and several other contributing factors. Barracuda MSP recommends applying the latest patches available to mitigate the vulnerability.
What is the threat?
CVE-2023–5129 is commonly referred to as its predecessor, CVE-2023–4863. This critical security threat has been identified within the libwebp open-source library. This significantly impacts a wide range of software applications, including, but not limited to:
- 1Password
- Adobe Photoshop
- balenaEtcher
- Basecamp 3
- Beaker (web browser)
- Bitwarden
- CrashPlan
- Cryptocat (discontinued)
- Discord
- Eclipse Theia
- FreeTube
- GitHub Desktop
- GitKraken
- Joplin, Keeper
- Keybase
- Lbry
- Light Table
- Logitech Options +
- LosslessCut
- Mattermost
- Microsoft Teams
- MongoDB Compass
- Mullvad
- Notion
- Obsidian
- QQ (for macOS)
- Quasar Framework
- Shift
- Signal
- Skype
- Slack
- Symphony Chat
- Tabby
- Termius
- TIDAL
- Twitch
- Visual Studio Code
- WebTorrent
- Wire
- Yammer
This flaw, now officially recognized as a libwebp vulnerability, is rooted in a heap buffer overflow within the WebP format and is known to impact Google Chrome versions preceding 116.0.5845.187. The vulnerability is associated with the Huffman coding algorithm used by libwebp for lossless compression, enabling attackers to execute out-of-bounds memory writes through the exploitation of maliciously crafted HTML pages. Such an exploit poses significant risks, ranging from system crashes to arbitrary code execution and unauthorized access to sensitive information across these affected software applications.
Please note: the above-mentioned applications may be subject to updates as new information becomes available.
Why is it noteworthy?
The libwebp vulnerability holds particular importance due to it initially going unnoticed. This type of exploit can have severe consequences, from crashes to arbitrary code execution and unauthorized access to sensitive information. The revised critical rating underscores the importance of promptly addressing the security vulnerability across these platforms to ensure users’ data security.
What is the exposure or risk?
The reclassification of CVE-2023-5129 as a libwebp vulnerability holds particular importance as a potential security threat for numerous projects using libwebp, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers. Rezillion’s recent analysis disclosed a multitude of widely used applications, libraries, frameworks, and operating systems that could be affected. They emphasized the efficiency of libwebp in comparison to JPEG and PNG in terms of size and speed. Given its widespread adoption, this vulnerability presents significant concerns for users and organizations alike.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of this vulnerability:
- It is critical that all clients immediately apply the latest security patches and updates for known affected software applications.
- Utilize Barracuda XDR to actively monitor for any suspicious activities related to this vulnerability.
- Whenever possible, disable WebP processing features in applications until patches are implemented.
- If feasible, consider temporarily switching to unaffected image processing libraries in your applications.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
- https://medium.com/@penquestr/libwebp-the-new-log4j-3e932b35bdcb
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.