A critical zero day vulnerability that was already exploited in the wild and patched in Chrome by Google has a new CVE ID (CVE-2023-5129). This issue is not a zero day vulnerability in Chrome but the libwebp library. This library is used by a lot of popular applications for encoding and decoding the WebP image format.
CVE-2023-5129: What Is It About
The originating cause of this vulnerability lies in a flaw in how the Huffman coding algorithm was implemented. This flaw could allow attackers to trigger a heap buffer overflow and execute arbitrary code.
It turns out that they were right, hence why CVE-2023-5129 was issued.
What Happens Next
Ofri Ouzan & Yotam Perkal from Rezilion pointed out that the vulnerable libwebp library can be found in wide spread use.
- Popular container images, “collectively downloaded and deployed billions of times” (e.g., drupal, ngnix, perl, python, ruby, rust, wordpress)
- A variety of utilities that depend on libwebp
- The most popular web browers (Chrome, Firefox, Microsoft Edge, Opera, etc.
- Many Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE, etc.)
- The Electron framework, on which many cross-platform desktop applications are based
- A slew of other applications (including Microsoft Teams, Slack, Discord, LibreOffice, 1Password, Telegram, Signal Desktop, etc.)
Some of those listed in the previous points have already included a patch and some others have yet to do so.
It is important that all consumers regularly update their operating system and software.
For enterprises that run regular vulnerability scans, they will be able to detect and remediate the vulnerability across all systems on their infrastructure.
Principal research engineer at runZero, Tom Sellers, also shared a shell command that users can run on macOS to see which apps are based on which Electron version (versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 & 27.0.0-beta 2 which are patched for this vulnerability.
Michael Taggart, a threat hunter is compiling and is updating a list of electron based apps, pointing out the version that is being used.
03:15 AM ET Sept 28 2023 UPDATE
CVE-2023-5129 ID was withdrawn by the CVE Numbering Authority (Google). Reason for this withdrawn as its is a duplicate CVE-2023-4863 as this has been broadened to include its impact on the libwebp library.