CVE-2023-4863: Heap buffer overflow in Google libwebp (WebP)
The vulnerability CVE-2023-4863 is found in the open source Libwebp library and affects browsers such as Mozilla, Chrome and Edge
On September 6th, 2023 Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at the University of Toronto reported a critical vulnerability affecting an image compression library used in Chromium and other software solutions that support WebP images.
WebP is an image format that offers superior lossless and lossy compression for images on the Web. Thanks to WebP, developers and webmasters have the ability to generate more compact, high-quality images, which leads to a significant improvement in the loading speed of web pages.
Google developed an open source library for manipulating images in WebP format, known as Libwebp, providing tools and functionality for encoding and decoding images in this format.
The CVE-2023-4863 vulnerability can be found in this library, specifically in the BuildHuffmanTable function used to validate the input data. The problem lies in the fact that this function allocates extra memory if the existing table is not large enough for the input data, allowing arbitrary data to be written outside of the bounds set in memory, when processing a malicious WebP image, which can lead to arbitrary code execution.
This vulnerability not only affects the Mozilla Firefox browser or others based on Chromium (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave, …) but also affects applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others.
The Chromium team has already reported the exploitation of this zero-day in the wild, so it is recommended to update affected products as soon as possible.
Key features of CVE-2023-4863
The main characteristics of this vulnerability are detailed below:
- CVE Identifier: CVE-2023-4863
- Publishing date: 12/09/2023
- Affected Software: Browsers such as Mozilla Firefox or Chromium based (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave); and applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others.
- CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
- Affected versions
- Multiple products are affected. The affected versions the lower versions than the listed in the Mitigation table.
Mitigation
The main solution is to urgently update the affected products to the new released versions that correct this vulnerability.
Some of the software versions fixing the vulnerability are listed below:
Affected Version | Fixed Version | Documentation |
---|---|---|
Google Chrome | Ver. 116.0.5845.187 (Mac and Linux) Ver. 116.0.5845.187/.188 (Windows) |
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html |
Mozilla Firefox | Ver. 117.0.1 Ver. ESR 102.15.1 Ver. ESR 115.2.1 |
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ |
Thunderbird | Ver. 102.15.1 Ver. 115.2.2 |
|
Microsoft Edge | Ver. 116.0.1938.81 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863 |
Brave | Ver. 1.58.124 | https://github.com/brave/brave-browser/issues/33032 |
Opera | Ver. 102.0.4880.51 | https://blogs.opera.com/desktop/2023/09/opera-102-0-4880-51-stable-update/ |
Vivaldi | Ver. 6.2 | https://vivaldi.com/blog/desktop/minor-update-three-6-2/ |
Honeyview | Ver. 5.51 | https://en.bandisoft.com/honeyview/history/ |
Most of the affected products have automatic updates enabled by default, so a restart of the application is the only requirement. Otherwise, the patch should be applied manually as soon as possible.
It is important to mention that the affected products list continues to grow every day, so it is recommended to keep an eye out for future updates of this vulnerability.
Vulnerability detection
The details of the CVE-2023-463 vulnerability are complex, so it is recommended to trust on the patch released by the manufacturer that fixes the vulnerability and to verify that our affected applications/browsers have an equal or higher version.
As part of its emerging vulnerability service, Tarlogic proactively monitors its customers’ perimeter to report, detect and urgently notify the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.
Update 28/09/2023: The CVE-2023-5217 vulnerability
Although initially the vulnerability CVE-2023-4863 was assigned to Google Chrome, it really affects the library LibWebP. That’s why on September 25th, a new dedicated CVE identifier was created, the CVE-2023-5217. It is the same vulnerability but assigned to the library instead of Google Chrome browser exclusively. Also, Google assigned the highest criticality possible to this new identifier, with a CVSS3.1 score of 10.
On September 27th, this new CVE identifier has been rejected as duplicated of the CVE-2023-4863.
Even though, the vulnerability keeps affecting all the software which makes use of the LibWebP library.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
- https://nvd.nist.gov/vuln/detail/CVE-2023-5217
- https://www.cve.org/CVERecord?id=CVE-2023-5129
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- https://chromium.googlesource.com/webm/libwebp
- https://bugzilla.redhat.com/show_bug.cgi?id=2238431
- https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/