You can now find Cyber Kendra on Google News!

WebP 0day - Google Assign New CVE for libwebp Vulnerability

CVE-2023-5129 - New zero-day flaw in libwebp, a library found in millions of apps with a 10.0 base score.

CVE-2023-5129 WebP 0day
A critical zero-day vulnerability recently disclosed in the WebP image library also known as 0day in WebP poses a significant security risk across numerous software applications and platforms. 

Originally reported by Apple and Citizen Lab which was tracked as CVE-2023-4863 specific to Google Chrome. Earlier the vulnerability was reclassified as CVE-2023-5129 and correctly attributed as a flaw in libwebp with a maximum 10/10 severity rating by Google, but now the entry for CVE-2023-5129 has been taken down (rejected) and details on CVE-2023-4863 have been corrected to indicate that it's in libwebp and not just "Google Chrome".

The vulnerability exists in the lossless compression component of the open-source libwebp library that provides encoding and decoding of images in WebP format. Specifically, it is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP. 

By crafting malicious WebP images and getting victims to open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data.

Ben Hawkes (former Project Zero manager) also wrote about this 0day, and he had this to say about it:

"The bad news is that Android is still likely affected. Similar to Apple's ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn't released a security bulletin that includes a fix for CVE-2023-4863 -- although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I'd expect it to be fixed in the October bulletin."

Ben also shared a Proof of Concept and other interesting notes; make sure to check it out.

Who is and isn't affected by WebP 0day?

Initially, the bug was portrayed solely as a vulnerability in Google Chrome and assigned CVE-2023-4863 with a high severity rating. 

Also Read: Actively Exploited Libvpx Flaw Affects Both Firefox and Chrome Browsers

However, in truth, the security hole impacts any software that utilizes the WebP codec through the libwebp library, not just Chrome. Beyond Chromium-based browsers, this expansive list includes other major browsers like Mozilla Firefox, Apple Safari, and Microsoft Edge which all incorporate libwebp.

This vulnerability doesn't just affect web browsers, it affects any software that uses the libwebp library.
There are lots of applications that use libwebp to render WebP images, and you can check the list below

Numerous additional applications and software projects employ WebP image handling via libwebp across Linux, Android, Windows, macOS, and other platforms. Since the codec is built into Android, all native browser apps on Android devices are affected. The pervasive nature of the vulnerable library means the exposure is massive.

By incorrectly categorizing it as only a Chrome bug in the beginning, the far-reaching implications of the flaw were not fully recognized. However, its recent reclassification under CVE-2023-5129 accurately identifies it as a core vulnerability in libwebp itself. This makes it unambiguously clear that any platform or app using the libwebp library needs to push out patches to protect users.

Story of the CVEs (Update - 30th Sep. 2023)

We have seen many talks on this issue and must thank the community for taking the identifier in the right direction. 

Will Dormann, a vulnerability analyst has raised a concern about the CVE issued to the bug that was reported to Apple and Google. Reporting the same bug (same root cause) to two or different vendors and issuing CVEs by the vendor for the same bug may not be a good choice.

This vulnerability initially led to confusion in the CVE number assignment, resulting in three different CVE numbers for the same issue.

The CVEs that cause confusion are -

Published Date CVE ID Description
7/9/23 CVE-2023-41064 ImageIO Buffer Overflow Vulnerability in Apple Products, AKA BLASTPASS
13/9/23 CVE-2023-4863 Heap buffer overflow in WebP (Google Chrome)
27/9/23 CVE-2023-5129 Issue for libwebp library by Google (now rejected)

As the vulnerability was in the libwebp package of WebP codec, and we have already mentioned above that this vulnerability doesn't just affect web browsers, it affects all application that uses the libwebp package. This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed. Due to its features, the adoption of this library is much wider. 

In practice, while exploitation isn't trivial, it's theoretically possible in any image processing context including server-side, making the scope of the vulnerability much wider than initially assumed as libwebp is a dependency for many commonly used applications.

The two different blog posts one from Ben Hawkes and another from Rezilion shed light on the confusion. 

Finally, the entry for CVE-2023-5129 has been taken down (rejected) and details on CVE-2023-4863 have been corrected to indicate that it's in libwebp and not just "Google Chrome". 

Details Corrected on CVE-2023-4863 🡻

Successful exploitation requires moderately complex user interaction but allows remote code execution nonetheless. With patches already available, organizations and developers dependent on WebP should urgently prioritize updating vulnerable versions before threat actors have a chance to exploit it in the wild.

According to a list compiled on Wikipedia, the following application uses WebP codec:

Old List

We have tried to compile a list of the products, Apps, or code that may use or support the Webp codec library.

Category Products
Web Browsers Beaker (web browser), GNOME Web, Google Chrome, Midori,
Mozilla Firefox, OhHai Browser, Pale Moon, Safari, SEOBrowse
Social Media Discord, Facebook, Instagram, Linked, ModernDeck for Twitter, Pinterest,
Reddit, SpinShare Client, Telegram, Twitter, WhatsApp, Yammer
Operating Systems Android, Windows
Video Platforms Lbry, Twitch, Vimeo, YouTube, YTMDesktop App
Graphics Software Aseprite, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop,
Photoshop and Picasa, Pixelmator, XnView
Cloud Storage Amazon Photos, Dropbox, Google Drive, Google Photos
Ecommerce Amazon, eBay, Etsy, Shopify, WooCommerce
CMS Drupal, Joomla, MediaWiki, WordPress
Email Services Gmail
Forum Software PHPBB, vBulletin, XenForo
Photo Editing GDAL, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop,
Photoshop and Picasa, Pixelmator, XnView
Game Engines Godot Engine, Unreal Engine, Unity
Desktop Software 1Password, Basecamp 3, Bitwarden, Blender, Cryptocat (discontinued),
Discord, Discord RPC Maker, Electron App Store (Unofficial), Etcher,
FastPictureViewer, Fifo FileCtor, Gitify, GitHub Desktop, GitKraken,
Gnome Web, healthi, Inboxer, Joplin, Keybase, LibreOffice, Light Table,
Logitech Options +, LosslessCut, Mattermost, Microsoft Office 2010,
Microsoft Teams, Motrix, Museeks, Music Player, Obsidian, QQ (for
macOS), Rambox, Signal, Skype, Slack, Spotify, Symphony Chat, Tabby,
Termius, TIDAL, VLC Media Player, Visual Studio Code, WebTorrent,
Windows Photo Viewer, Wire, Youtube Music for Desktop.
Mobile Apps Lyft, Telegram Messenger, Uber
Web Servers Apache, IIS, nginx
Developer Tools Advanced REST Client, Aeon, Antares, Appium Desktop, Barklarm, Believers
Sword, Blockbench, BoxHero, Brim, Buttercup, Camunda Modeler, Cider,
Clovery, Codex, Colorpicker, Cozy Desktop, CryptoARM GOST, Dat, DECK,
DeckMaster, Deskfiler, Dict, Django, Doki Doki Mod Manager, Dopamine,
DropPoint, Dusk Player, EBTCalc, ElectroCRUD, Electron App Store
(Unofficial), Erin, ETCD Manager, Etcher, ExifCleaner, Fifo FileCtor,
Fishing Funds, FLB Music, Flask, Frame, Gaucho, Gitify, gSubs, healthi,
HexoClient, ImageShrinker, Inboxer, Invizi, itch, Jasper, Juggernaut,
Kahla, Kap, KeeWeb, Knowte, Kube Dev Dashboard, Kube Forwarder, Laravel,
Laravel Kit, Last Hit, LBRY Desktop, Lepton linked, Lisk Hub, lsdeer,
Mailspring, Markdownify, massCode, mdp, mediaChips, Metronome Wallet,
Mini Diary, MJML App, Monokle, monolith code, MoviePrint, Mullvad, Netron,
Network Status Check, nteract, nuclear, OhHai Browser, Oversetter,
P3X Redis UI, PanWriter, passky, Patchwork,Pencil, Picturama, PiTV, poi,
Pomotroid, PreMiD, PrettyEarth, Primate Puppetry, Qawl, Quark,
Quba E-Invoice Viewer, QuickRedis, R6RC, Rainbow Board, Rambox, Rebaslight,
Recode Converter, Redis GUI (unofficial),RenderTune, React, Responsivize,
Ride Receipts, Scratch For Discord, SeaPig, Serina, Silex website builder,
SimpleInstaBot, Singlebox, Snippet Store, Socially, Soundnode, SpaceEye,
SpinShare Client, Sqlectron, sqlui-native, Standard Notes, Standup Picker,
Streamlabs OBS, Sturdy, Subtitler, Super Productivity, Switch, TagSpaces,
Taskana, TextureLab, Thorium Reader, Time Series Admin, To Do, todometer,
Transee, Translatium, Tropy, Tusk, Twinkle Tray, U Stair, Unfx Proxy
Checker, Upcount, Vue.js, WebKitty, WizardMirror, wnr, yana, Zap
Major Companies Facebook, Google, Slack, Wikimedia, WordPress.com
Other Programs/Scripts Display-dj, FFmpeg, GDAL, music-player, Musify, Notion, photoline,
Picasa, React, Signal, Sumatra PDF, Vue.js

The above list is prepared based on the data available on the Internet. Data may not be 100% accurate or up to date. We request everyone to help us to improve the accuracy of the data and keep it up to date.

WebP can also be displayed in all major browsers using the WebPJS JavaScript library, although support in Internet Explorer 6 and above is achieved using Flash.

Proper assessment as a libwebp codec vulnerability rather than a Chrome-specific issue is vital for security. The ease of attack means keeping systems current with fixes should be treated as an essential, high-priority task across the enormous user base of the popular WebP library.

Update from Microsoft - 2nd Oct. 2023

Microsoft has also acknowledged the flaws CVE-2023-4863 and released the fixes for the following products -

  • Microsoft Edge 
  • Microsoft Teams for Desktop
  • Skype for Desktop 
  • Webp Image Extensions (Released on Windows and updates through Microsoft Store) 

Update from MongoDB Team - 9th Oct. 2023

We like to thank the MongoDB team for helping us to maintain the list of affected products accurately. 
The MongoDB team via email confirmed Cyber Kendra that MongoDB Compass is not vulnerable to libwebp vulnerability. They noted -
The latest release of MongoDB is built on a version of Electron and Chromium that has the patch. Additionally, we are generally not affected because Compass never renders user generated content that is required for the exploit. 

Also ReadMultiple High Severity Vulnerabilities Fixed in Mozilla Products

Patch WebP 0day Now

A list of the vendors that pushed the WebP 0day patched against the vulnerability are -

We request all readers and the community to help us update the list of the vendor who is vulnerable and has pushed the patch to fix it. Comment down the vulnerable product or name also the source of the patch released (if available).

8 comments

  1. Electron was patched for the original exploit on the 12th or so, and many applications that use it can update to fix it as well.
    1. Thanks for the Update. 👍
  2. 1Password 8.10.15
    https://support.1password.com/kb/202309/
    1. Thanks for the update. 👍
  3. What is the source for this line?

    > Successful exploitation requires moderately complex user interaction but allows remote code execution nonetheless.

    I could not find any sources. In image parsing bugs, it would be pretty rare to need complex interaction, once a heap overflow is there. I have a theory that this is the result of two separate things:

    - It needs user interaction, meaning that somehow the Chrome user needs to load the web page containing the malicious webp.
    - Exploitation is moderately complex, as the number of assumptions leading to the code path is big. (Thus, -- the sources state -- finding it with fuzzing is/would have been difficult)

    However, the sentence this way is totally misleading, if I am correct.
    1. Yes, we agree. And we also updated the post.
      Thanks
  4. paint.net 5.0.10
    https://blog.getpaint.net/2023/10/01/paint-net-5-0-10-is-now-available/

    Updated the bundled WebPFileType to version 1.3.20. It now uses libwebp v1.3.2 which contains the fix for CVE-2023-4863/CVE-2023-5129 (thanks @null54!)
    1. Thanks for the update. We have updated the post accordingly.