Rezilion Researchers Uncover New Details on Severity of Google Chrome Zero-Day Vulnerability (CVE-2023-4863)

By Ofri Ouzan & Yotam Perkal, Rezilion Security Research

On September 11th, 2023 Google released an emergency security fix for a critical vulnerability discovered, identified as CVE-2023-4863 affecting the Google Chrome for Windows, macOS, and Linux. CVE-2023-4863 is a zero day heap buffer overflow vulnerability in Google Chrome’s WebP with a HIGH 8.8 CVSS score. The vulnerability allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. According to Google’s report and the CISA KEV Catalog, the vulnerability is known to be exploited in the wild, which highlights its urgency and affects any application or software that uses the libwebp package of WebP codec, which significantly increases the attack surface.

Rezilion analysis of the vulnerability reveals that:

• The scope of this vulnerability is much wider than initially assumed, affecting millions of different applications worldwide
• Vulnerability scanners will not necessarily provide a reliable indication of the presence of this vulnerability, due to being wrongly scoped as a Chrome issue.
• It is highly likely that the underlying issue in the libwebp library is the same issue resulting in CVE-2023-41064 used by threat actors as part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spyware on target mobile devices.

Rezilion analysis reveals that there are several common Linux applications that contain or use the vulnerable libwebp package as a dependency. Examples include: libtiff, python-pillow, libgd, gnuplot, libavcodec58, libmagickcor, libqt5webkit5, libgvc6, libimlib2, and others. 

Rezilion has also identified the vulnerable library in several popular container images׳ latest versions, collectively downloaded and deployed billions of times, such as Nginx,Python,  Joomla, WordPress, Node.js, and more.

While identified exploitation attempts were initially associated with various web-browsers, it is important to make sure to update any affected instances of the libwebp package as the possibility exists that additional exploitation scenarios are possible.

The vulnerability was discovered by a team comprising Apple’s Security Engineering and Architecture team and Citizen Lab, a research group at the University of Toronto that tracks nation-state cyber attacks, which recently discovered another two vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061. All cases, CVE-2023-41064 and CVE-2023-41061, as well as CVE-2023-4863 are overflow zero-day vulnerabilities that provide remote code execution capabilities through malicious images. They also are zero-day vulnerabilities, released only 5 days apart, and are known to be exploited in the wild according to CISA. 

Up until now, the relationship between these two cases was still unknown, but these similarities got us thinking that there is a stronger connection between these vulnerabilities. Apparently, we were not the only ones having these thoughts. .

These thoughts triggered an in-depth analysis that uncovered the true scope of this vulnerability, revealed inherent detection gaps for most traditional vulnerability scanners, as well as raised some questions regarding the CVE assignment process.

The connection to CVE-2023-41064

CVE-2023-41064 was recorded to be exploited in the wild as part of a zero-click exploit chain referenced as BLASTPASS. This exploit chain was used by threat actors to compromise iPhones running the latest version of iOS (16.6) and deploy the NSO Group’s Pegasus spyware without any interaction from the victim.

Due to the many similarities mentioned above, and since we now understand (from the fix) that the CVE-2023-41064 vulnerability is actually in the libwebp library, we decided to explore the possibility that CVE-2023-4863 and CVE-2023-41064, actually stem from the same underlying issue.

From the libwebp fix commit for CVE-2023-4863, we see that the affected files are vp8l_dec.c, vp8li_dec.h, huffman_utils.c, and huffman_utils.h.

According to the Apple security advisory, CVE-2023-41064 affecting MacOS, IpadOS, and IphoneOS stems from an issue in the ImageIO framework. 

As can be seen in the below screenshot, the issue was indeed reported by the same researchers that reported CVE-2023-4863 to Google.

So can it be that the same vulnerable libwebp code resides within the Apple ImageIO library? It appears so!

We have analyzed the ImageIO binaries on a MacOS system and were able to find evidence that libwebp is indeed used. Moreover, we identified both vp8l_dec.c, and huffman_utils.c, the vulnerable files for CVE-2023-4863, being referenced as part of ImageIO.

So what seems to have happened here?

Well, it seems that the researchers have reported the issue to the Google and Apple teams where each team issued a separate CVE. Google scoped the vulnerability as affecting Chrome while Apple associated it with their internal ImageIO framework and hence scoped the issue as affecting only AppleOSs. 

While in fact, the issue stems from the libwebp dependency which both products use.  

But here comes the kicker…

Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products. This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.

This is a classic case of a False Negative result. It means that if your scanner doesn’t detect CVE-2023-4863, you cannot be certain that your environment doesn’t have vulnerable instances of libwebp. This is because the scanner will only flag cases in which libwebp is a dependency of the products listed in the CPE (Common Platform Enumeration) field.

Due to this reason, for nearly a week after the vulnerability was added to the CISA KEV catalog, the majority of packages that depend on libwebp were not identified as affected by CVE-2023-4863 by any vulnerability scanners.

Just recently NVD updated the entry for CVE-2023-4863 to reflect that the vulnerability affects libwebp. Scanners that keep track of these changes in NVD metadata should now be able to start identifying CVE-2023-4863 more reliably.

The Vulnerability

This is a heap buffer overflow vulnerability in the libwebp package of WebP codec.

Heap is a data structure that stores data of a running program, the data is stored in a variable amount that won’t be known until the program is running. 

Heap buffer overflow occurs when data is written beyond the allocated boundaries of a program’s memory heap, potentially leading to a denial of service or remote code execution

The libwebp package of WebP codec is used to encode and decode images in WebP format.

The issue was fixed in the following commit in the BuildHuffmanTable, it adds a check if the data is valid and allocates more memory if not enough in order to prevent attackers from overwriting the table with invalid data.

Actual Attack Surface

While the vulnerability initially seems to target Chromium-based applications, now that we know better, we understand that it possesses the potential to affect a much wider range of software and applications relying on the ubiquitous libwebp package for WebP codec functionality. This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed. Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency, creating a complex challenge when attempting to identify vulnerable systems. The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations.

Organizations with SBOM solutions in their environment are advised to query the Software Bill of Materials (SBOM) for any package using a vulnerable version of libwebp as a dependency. It is especially important to make sure that the system libwebp library is patched as several applications such as chromium for example, are built against the system libwebp library.

As the popularity of the libwebp package implies that a multitude of systems could potentially be at risk, ascertaining the full extent of this vulnerability’s impact becomes a formidable undertaking. In this blog post, we aim to bring clarity to this intricate landscape, offer comprehensive information about affected systems and available fixes, and help users and organizations navigate through the complexities of this issue.

Affected Systems Breakdown

The following docker containers all contain the vulnerable library:

Source: dso.docker.com

A list of packages that depend on the “libwebp” package according to Arch Linux:

allegro, chafa, chromium, efl, electron22, electron23, electron24, electron25, emacs (requires libwebp.so), emacs-nativecomp (requires libwebpdemux.so), emacs-wayland (requires libwebp.so), emby-server, fbida, ffmpeg, ffmpeg4.4, freeimage, gd, gegl, gimp, godot, gogglesmm, graphicsmagick, gst-plugins-bad, gthumb, krita, krita, leptonica, lib32-libwebp, libreoffice-fresh, libreoffice-still, libvips, maim, mapnik, matrix-synapse, motion, netsurf, opencv (staging), opencv-cuda (staging), openimageio, qt5-imageformats, qt6-imageformats, qt6-imageformats, sdl2_image, skia-sharp, swayimg (requires libwebp.so), thunderbird (requires libwebpdemux.so), waifu2x-ncnn-vulkan, webkit2gtk, webkit2gtk (testing), webkit2gtk-4.1, webkit2gtk-4.1 (testing), webkitgtk-6.0, webkitgtk-6.0 (testing), webp-pixbuf-loader, weston, wpewebkit, gdal (optional), imagemagick (optional), imlib2 (optional), nikola (optional), pqiv (optional), python-pillow (optional), darktable (make), gdal (make), geeqie (make), imagemagick (make), imlib2 (make), libreoffice-fresh (make), libreoffice-still (make), pqiv (make), python-gdal (make), python-pillow (make), nikola (check), python-piexif (check).

A list of products containing the vulnerable version of libwebp as a dependency:

This list contains additional components that depend on libwebp making those dependent components also vulnerable. This list has been generated using Rezilion’s capability to identify vulnerable component dependencies based on dynamically generated SBOM.

A list of fixed softwares, browsers and packages:

Web Browsers

• Google Chrome –  Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
• Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
• Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188).
• Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81 and 117.0.2045.31.
• Tor Browser – version 12.5.4.
• Opera – version 102.0.4880.46.
• Vivaldi – version 6.2.3105.47.

Operating Systems

• Debian – released a partial security fixes for chromium, firefox, firefox-esr, libwebp and thunderbird, not all distributions have a fix.
• Ubuntu – released a partial security fixes for chromium-browser, libwebp, firefox, thunderbird and mozjs, not all distributions have a fix.
• Alpine – released security fixes to chromium, libwebp, qt5-qtimageformats and firefox-esr.
• Gentoo – released security fix to media-libs/libwebp version 1.3.1_p20230908.
• RedHat – released security fixes (RHSA) for Mozilla Thunderbird, Mozilla Firefox and libwebp.
• SUSE – released security fixes (SUSE-SU and openSUSE-SU) for Mozilla Firefox, Mozilla Thunderbird, libwebp and chromium packages.
• Oracle – released security fixes (ELSA) for Mozilla Firefox and Mozilla Thunderbird.
• Amazon Linux – still haven’t pushed fixes to their AMI images 

Other Software

• Zulip Server – version 7.4.
• Electron – versions 22.3.24, 24.8.3, 25.8.1, 26.2.1 and 27.0.0-beta.2
• Xplan – version 23.9.289.
• Signal-Desktop –  version 6.30.2.
• Honeyview – version 5.51.

Fixed software with unknown version of fix according to stackdiary.

Telegram, 1Password.

Affected software with no known available fixes according to makeuseof.

Microsoft Teams, Slack, Skype, Discord, Affinity, Gimp, Inkscape, LibreOffice, ffmpeg.

Recommendations

Given the confirmed exploitation of CVE-2023-4863 in the wild, it is imperative to swiftly apply the provided patches to your systems. These patches have been specifically designed to address this critical vulnerability and should be deployed without delay. 

Given the initial wrong scoping of the vulnerability, scanners output for CVE-2023-4863 should be taken with a grain of salt, and it is advised to either query your SBOM solution or asset inventory system for specific occurrences of libwebp in all of its vulnerable variations.

For software, applications, or packages that dynamically incorporate the libwebp package into their code rather than statically linking it, updating the libwebp library to the latest version is crucial. After the update, it is advisable to restart these applications to ensure the changes take effect.

While safeguarding your systems is paramount, it’s essential to balance security with operational stability. When applying updates, be mindful of potential operational risks that could disrupt normal functioning. Plan and execute the update process carefully to minimize any adverse effects.

Although this blog post primarily addresses CVE-2023-4863, we would also like to emphasize the importance of addressing CVE-2023-41064 and CVE-2023-41061 since they were published recently, are zero-day vulnerabilities, and are known to be exploited in the wild. It seems these CVEs are simply a manifestation of the same issue affecting separate OSs. Hence, it is advisable to take swift action and apply patches to macOS Ventura 13.5.2 and watchOS 9.6.2, where applicable. 

Because CVE-2023-4863 was wrongly scoped as a browser vulnerability, most scanners will fail to detect it in cases where the libwebp library is being used as a dependency. Organizations should consider adopting alternative tooling to ensure all instances are detected and can be addressed promptly.

__________________________________

Get Help With CVE-2023-4863

To help organizations work around potential blindspots in their ability to detect all instances of CVE-2023-2863 within their environment, Rezilion is now offering a free risk assessment program.

Through this opportunity, organizations can access Rezilion’s inherent Dynamic SBOM capability to simply query the dependency tree of any environment in which Rezilion is deployed to instantly identify instances of software components using vulnerablelibwebp versions as a dependency. 

For example, in this screenshot from the Rezilion platform, on the right hand side you can see examples of various components that are dependent on vulnerable versions of libwebp, including whether these components are actually in use (loaded to memory) or not :

No code, no agents, and no formal commitment is required to participate in the free risk assessment. Benefits of the program include: ,: 

• Pinpoint ALL instances of CVE-2023-2863 in your software and dependencies – fast – with instant search capabilities
• Know if instances are exploitable in your unique environments – not just exploitable in the wild – with the platform’s patented Runtime Analysis capabilities
• Get smart guidance on not just what and where to patch, but which version patch to use to avoid breaking your build 
• Share a complete software bill of materials (SBOM) of your dynamic software environment – and its risks – to assure customers that you are in compliance with security policies and requirements

To learn more about the free risk assessment program, or to sign up, visit https://info.rezilion.com/lp/cve-2023-4863-risk-assessment.