ALERT! – Critical Zero Day Vulnerability Reported by Google in Libwebp

ALERT! – Critical Zero Day Vulnerability Reported by Google in Libwebp

A critical zero day vulnerability that was already exploited in the wild and patched in Chrome by Google has a new CVE ID (CVE-2023-5129). This issue is not a zero day vulnerability in Chrome but the libwebp library. This library is used by a lot of popular applications for encoding and decoding the WebP image format.

CVE-2023-5129: What Is It About

The originating cause of this vulnerability lies in a flaw in how the Huffman coding algorithm was implemented. This flaw could allow attackers to trigger a heap buffer overflow and execute arbitrary code.

libwebp versions 0.5.0 all the way through to 1.3.1 are affected by CVE-2023-5129. Version 1.3.2 fixes this zero day which was given a CVSS score of 10 which means it is extremely critical to be patched.

Researchers from Rezilion had previously posted thatCVE-2023-41064, which is a buffer overflow vulnerability in the Imagel/O framework and was recently fixed by Apple and exploited to deliver to Apple Devices the NSO Group’s Pegasus Spyware, and CVE-2023-4863, which is the chrome zero-day, are effectively the same flaw.

It turns out that they were right, hence why CVE-2023-5129 was issued.

What Happens Next

Ofri Ouzan & Yotam Perkal from Rezilion pointed out that the vulnerable libwebp library can be found in wide spread use.

  • Popular container images, “collectively downloaded and deployed billions of times” (e.g., drupal, ngnix, perl, python, ruby, rust, wordpress)
  • A variety of utilities that depend on libwebp
  • The most popular web browers (Chrome, Firefox, Microsoft Edge, Opera, etc.
  • Many Linux distributions (Debian, Ubuntu, Alpine, Gentoo, SUSE, etc.)
  • The Electron framework, on which many cross-platform desktop applications are based
  • A slew of other applications (including Microsoft Teams, Slack, Discord, LibreOffice, 1Password, Telegram, Signal Desktop, etc.)

 Some of those listed in the previous points have already included a patch and some others have yet to do so.

It is important that all consumers regularly update their operating system and software.

For enterprises that run regular vulnerability scans, they will be able to detect and remediate the vulnerability across all systems on their infrastructure.

Principal research engineer at runZero, Tom Sellers, also shared a shell command that users can run on macOS to see which apps are based on which Electron version (versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 & 27.0.0-beta 2 which are patched for this vulnerability.

Michael Taggart, a threat hunter is compiling and is updating a list of electron based apps, pointing out the version that is being used.


03:15 AM ET Sept 28 2023 UPDATE

CVE-2023-5129 ID was withdrawn by the CVE Numbering Authority (Google). Reason for this withdrawn as its is a duplicate CVE-2023-4863 as this has been broadened to include its impact on the libwebp library.

Leave a Reply

Your email address will not be published. Required fields are marked *