Back to Insights

Nixu Threat Intelligence Bulletin: Critical Libwebp Vulnerability Discovered

Nixu Threat Intelligence Team

Threat Intelligence Team

September 28, 2023 at 18:00

Critical Libwebp Vulnerability (CVE-2023-5129)

On 15 September, Nixu Threat Intelligence informed their clients that a vulnerability (CVE-2023-4863) in a library used by Google Chrome and Firefox browsers was being exploited in the wild. The library in question is libwebp and is used for image handling.

The flaw has now been given a new CVE identifier (CVE-2023-5129) which refers to the library itself. Google initially labeled it as a Chrome issue rather than assigning it to the library. The reclassification of CVE-2023-5129 as a libwebp vulnerability holds particular importance due to it initially going unnoticed as a potential security threat for numerous projects using libwebp.

Many browsers use this library for displaying images in the browser but there are also other projects that likely utilize it as well, such as 1Password, Signal, Mozilla Thunderbird, Adobe Photoshop, et al. This vulnerability mainly affects client-side software, which is used to render images on screen, but some server products likely implement it as well – Wordpress, as an example.

Furthermore, a security consulting firm has linked the originally reported CVE-2023-4863 to the CVE-2023-41064 vulnerability (addressed by Apple in early September) that was abused as part of a zero-click iMessage exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with commercial spyware of the NSO Group Pegasus.

Details

=======

Product: Multiple

Risk: Arbitrary code execution, access to sensitive information

Link 1: https://nvd.nist.gov/vuln/detail/CVE-2023-5129

Link 2: https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/

Link 3: https://en.wikipedia.org/wiki/WebP

Nixu Threat Intelligence assesses with high confidence that the vulnerability will most likely be analyzed and weaponized by advanced threat actors apart from it being used in the wild by NSO Pegasus. We recommend ensuring that the needed patching has been done for the major browsers Google Chrome, Firefox and Microsoft Edge. At present, there is no proper information on other products utilizing the library nor their patches or patch schedules regarding libwebp.

Moving forward, the general assumption we are working under is that while this hasn’t been widely exploited yet, it is just a matter of time for a Proof-of-Concept (PoC) to emerge. This could be against any one of the wide array of software that rely upon the library. We believe the threat vector remains on the client-side as it will likely require user interaction via opening it as a payload (maybe a maliciously formed image file) in the right software type for a compromise to take hold.

Nixu Threat Intelligence
Nixu Corporation
threats@nixu.com

Related blogs

Nixu Threat Intelligence Bulletin: Russian hackers targeting the energy sector in the Baltic Sea region

Nixu Threat Intelligence has become aware of a warning by Ukraine's defense intelligence agency saying that Kremlin-backed hackers are planning to carry out massive cyberattacks on the country's critical infrastructure – targeting especially the energy sector. Furthermore, the agency estimates that the Kremlin intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine's closest allies, particularly Poland and the Baltic countries.

Details

by Threat Intelligence Team
September 30, 2022 at 09:00

Nixu Threat Intelligence Bulletin #5: Russia's War in Ukraine

Moscow’s hope of a blitzkrieg campaign has turned into a protracted war.
by Threat Intelligence Team
March 15, 2022 at 17:16

Nixu Threat Intelligence Bulletin #4: Russia's War in Ukraine

As the war continues and sanctions harden, the probability for more widespread retaliatory cyberattacks rises.
by Threat Intelligence Team
March 8, 2022 at 16:00