A patched Chrome vulnerability disclosed at the beginning of September has been reevaluated and reclassified as a broader, severe vulnerability affecting the common open source library libwebp. The earlier discovery of CVE 2023-4863 was reported to be impacting Google Chrome and was swiftly patched. This week, after first logging a new CVE (CVE-2023-5129), Google has now marked 5129 as a duplicate and updated CVE-2023-4863 to reflect a broader attack surface of all uses of WebP and was given a CVSS score of 8.8, with an EPSS score of 38.99% (97th percentile).

CVE-2023-4863 was discovered initially as a zero-day heap buffer overflow vulnerability. The high score and EPSS percentile represents a critical rating, with the potential to significantly disrupt security teams. The situation feels similar to the Log4Shell vulnerability, due to its direct impact on the ubiquitous libwebp open source library. 

Software vulnerabilities are a persistent concern, but their impacts multiply when they reside within widely-used third-party libraries, hidden beneath layers of software stacks that could reside inside varying systems or devices. The recent discovery surrounding the WebP library vulnerability underscores the critical importance of comprehensively mapping the software ecosystem and its dependencies.

If you have the WebP library in your environment outside of Chromium applications, you should upgrade to libwebp version 1.3.2 as soon as possible to protect your devices from potential exploitation.

Understanding CVE-2023-4863 (fka CVE-2023-5219)

Originally detected as a Chrome-specific security issue, the vulnerability's true breadth was revealed as being rooted in the ubiquitous libwebp open-source library. This buffer overflow flaw could let remote attackers manipulate memory via a specially-crafted WebP image. Notably, the issues weren't solely with Chrome. The commonality of the libwebp package means that various software worldwide is potentially exposed. A recent revelation even connects Apple’s ImageIO vulnerability, CVE-2023-41064, to this same issue, suggesting broader ramifications. 

Embedded systems, from smart thermostats to industrial control units, heavily rely on third-party libraries to function. Such a dependency lattice complicates the threat landscape. While CVE-2023-4863 was initially detected as a Chrome-specific issue, its real risk stretched further, possibly reaching into the core of countless embedded devices via the libwebp open-source library.

This widespread usage isn’t just a Chrome or even a web-browser issue. It’s about the myriad of devices and systems that leverage the same foundational components. It is being actively exploited in the wild, raising concerns about its urgency and score.

How CVE-2023-4863 works

CVE-2023-4863 is a heap buffer overflow vulnerability in the libwebp package of WebP codec. The vulnerability resides in the "lossless compression" feature for WebP, also referred to as VP8L. This lossless image format is capable of storing and reproducing pixels with impeccable precision, ensuring that the image is rendered with absolute accuracy. This is made possible by WebP's implementation of an algorithm named Huffman coding. The target is an overflow of the huffman_tables allocation situated in ReadHuffmanCodes (src/dec/vp8l_dec.c). The strategy involves utilizing the VP8LBuildHuffmanTable/BuildHuffmanTable invocation in ReadHuffmanCode to advance the huffman_table pointer beyond the established buffer size.

The libwebp vulnerability extends its reach to a multitude of software and applications relying on the libwebp package. Analysis of common Linux libraries reveals that several (such as libqt5webkit5, libtiff and gnuplot to name a few) are also dependent on libwebp, further obscuring the depth of the problem.

It’s worth noting that the history of this CVE is a bit confusing - the NVD entry for CVE-2023-5129 is now marked “rejected” by Google (the CNA) as a duplicate of CVE-2023-4863. Searching your environment for the component libwebp and patching wherever it occurs as needed is the best way to proactively guard your environment.

Initial Discovery as a Zero Day

In early September, Apple reported CVE-2023-41064, which, while the details are light, appears to be a buffer overflow in ImageIO. Recently Apple's ImageIO functions added support for WebP, and this is where the buffer overflow is alleged to exist.  

This particular overflow was observed to be exploited in the wild by Apple as part of the BLASTPASS exploit in the NSO group’s Pegasus spyware. On September 6, Apple reported WebP vulnerabilities in Chrome to Google.  Google then issued CVE-2023-4863 and issued an urgent Chrome patch. Given this information, it seems likely that CVE-2023-41064 and CVE-2023-4863 may be the same bug in two different implementations.

These two WebP-related CVEs, across two major industry players, are a serious cause for concern. Specifically, where else is libwebp used under the covers, and what versions?  Some are comparing the scope of this problem to log4j, but we’re still early in the discovery process. 

Managing exploited vulnerabilities 

By leveraging Finite State's global search functionality, organizations can quickly and effectively find and manage exploited vulnerabilities. A quick search for the vulnerable software component will show you the products in your organization that contain the component, and you can quickly do triage to get your products patched or mitigate the vulnerability. Responding quickly and easily without painful multi-week analysis of source code is the main benefit of SBOMs and the Finite State software component analysis.

Figure 0. CVE-2023-4863 in the Finite State Platform

Active vulnerabilities like CVE-2023-4863 underscore the urgency and significance of an effective vulnerability management strategy that incorporates robust security protocols and precise vulnerability identification tools.

If you have an active team, you might worry about future code commits that contain this vulnerable component. The Finite State platform continuously monitors your products and reruns analysis to give you the most up-to-date vulnerability insights to strengthen your cybersecurity posture and proactively address vulnerabilities in an ever-evolving threat landscape.

Supply Chain Vulnerabilities: An Underestimated Concern

Vulnerabilities like this are not merely technical problems; they pose essential questions about software supply chain security:

  • Misunderstood Impact Analysis: Often, vulnerabilities are tagged against applications, sidelining underlying third-party libraries. This misdirection can lead to inaccurate risk assessments. It's not just about an app; it's about the myriad of components that come together to form it.
  • The Imperative for SBOMs: Incidents like these amplify the importance of Software Bill of Materials (SBOMs). Without comprehensive SBOMs, discerning whether your software or that of your suppliers is compromised becomes a daunting challenge. CVE-2023-4863 is a potent reminder that without deep-enough SBOMs, threats can remain hidden.
  • Navigating Supply Chain Complexity: This vulnerability reveals that software supply chain security isn't just about direct software components. Understanding all dependencies, even those multiple layers deep, is critical. It's not enough to ensure the safety of direct dependencies; their dependencies must be evaluated too.

Editor's Note: Matt Wyckhouse, Emily Patterson, Ryan Owen, and Lindsey Havens also contributed to the research and writing of this report.