Image I/O & WebP/libwebp Zero-Day Vulnerabilities

Google/Heap Buffer Overflow Vulnerability in WebP (CVE-2023-4863)

Written by Michal Nowakowski of the Kudelski Security Threat Detection & Research Team

Summary

As a result of research into vulnerabilities discovered on September 7^th and compromising Apple iOS version 16.6, allowing the installation of spyware known as Pegasus, Citizen Lab, together with Apple’s Security Engineering and Architecture Team, notified Google of potential exploit discoveries in Google Chrome, assigning a separate CVE-2023-4863 for the indicated vulnerability. On September 11^th, Google released a Stable Channel Update for desktop versions of Chrome on Mac, Linux and Windows systems.

Further analysis and investigation unveils, that the impact of the aforementioned exploit not only targets Google Chrome, but is more widespread, and in fact, any application that relies on the libwebp library to handle WebP images is potentially vulnerable to this attack.

On September 27^th Google decided to modify the entry of CVE-2023-4863 and expand the scope to multitude of commonly used applications, libraries, frameworks and operating systems that may be affected.

Affected Systems and/or Applications

Among significant list of systems affected by this vulnerability (more than 700) which includes widely used software like:

• Adobe Photoshop
• Mattermost
• Microsoft Teams
• MongoDB Compass
• TIDAL

many of them have been already patched. This includes for example:

Applications

• Google Chrome
• Mozilla
• Brave Browser
• Microsoft Edge
• Tor Browser
• Opera
• Vivaldi
• Bitwarden

Operating Systems

• Debian
• Ubuntu
• Alpine
• Gentoo
• RedHat
• SUSE
• Oracle
• Amazon Linux

Other Software

• Zulip Server 7.4 security release
• Electron
• Xplan
• Signal Desktop
• Honeyview

Technical Details / Attack Overview

This exploitation, when executed correctly, allows a remote attacker to save data outside the boundaries of the heap using a specially crafted lossless WebP file that runs across multiple browsers, operating systems and applications.

WebP is a lossless image format, sometimes known as VP8L, that allows high-quality images to be displayed on Web pages using much smaller file sizes than traditional formats such as PNG and JPEG. On the other hand, libwebp is a library that allows programs to support the WebP file format.

Apple and Citizen Lab, which coincidentally discovered the WebP vulnerability, were actually investigating an exploit found in a framework called Image I/0, which is part of Apple’s operating system, such as iOS, iPadOS watchOS, and macOS, and allows for reading and writing file formats, including WebP files. The whole idea is to overflow the huffman_tables allocation in ReadHuffmanCodes (src/dec/vp8l_dec.c) by moving the huffman_table pointer beyond the pre-calculated kTableSize cache size. In fact, there are several different pre-calculated bucket sizes depending on the number of color cache bits, and kTableSize only takes into account the first 8-bit table lookups, skipping the remaining 8-bit. When BuildHuffmannTable() tries to populate the second-level table, it can write data outside the boundaries.

Attacks against this vulnerability can range from denial of service (DoS) to possible remote code execution (RCE).

Recommendations and mitigations

• Disable WebP at the firewall level
  • Modify firewall rules to block both incoming and outgoing .webp files.
• IDS/IPS level
  • Ensure that intrusion detection systems (IDS) and intrusion prevention systems (IPS) are updated with signatures related to libwebp vulnerabilities.
• Web Content Filtering Level
  • Configure web content filters to block or warn about attempts to download WebP images from untrusted or unrecognized sources.
• Network Level
  • Consider isolating systems that rely heavily on image processing in a segmented network zone, reducing potential exposure.
  • Implement strict access control for systems that process WebP images, ensuring that only necessary applications and users can interact with them.
• Patch Management
  • Use automated tools to scan your infrastructure for software reliant on the libwebp library, ensuring no instances are missed.
• Tighten Configuration
  • Where possible, disable WebP processing functions in applications until patches are applied.

Solution

The recommendation is to patch all impacted systems to the recommended versions and checking for the presence of affected software

What the Cyber Fusion Center is doing

The CFC is reviewing all affected application on our environment to make sure there is no impact or exploitation.

For clients who have subscribed to the vulnerability service you are going to be receiving critical vulnerabilities reports with your next vulnerability scan runs.

We will continue to keep up to date with this vulnerability to provide further updates as they become available.

Sources

CVE-2023-41064, CVE-2023-4863, CVE-2023-5129: Frequently Asked Questions for ImageIO and WebP/libwebp Zero-Day Vulnerabilities – Blog | Tenable®

Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters | Ars Technica

https://www.tenable.com/cve/CVE-2023-4863/plugins

Chrome Releases: Stable Channel Update for Desktop (googleblog.com)