Critical Actively Exploited Vulnerability in Web Browsers and Applications

UPDATE on 27 September 2023 at 11:40 p.m.: Completing the list of vulnerable applications

The National Cyber Security Centre SK-CERT warns of a critical security vulnerability in the popular libwebp library that allows remote execution of arbitrary code. The vulnerability has reached a maximum CVSS score of 10.0. The library can be found in thousands of applications in all operating systems.

How does the vulnerability work? And what does it concern?

The libwebp library allows applications to read and write files in WebP format. Support for this format is needed by web browsers, communication applications, and as a second-level dependency it occurs in most applications that display HTML content for any reason. Since it is a library that is actually a standard for working with this format, the number of affected applications is enormous.

Exploiting the vulnerability is very simple. An attacker just needs to spoof a specially crafted malicious file in WebP format. At the moment when the application starts loading it, the attacker executes the spoofed code on the victim’s device, without the need for any confirmation or interaction from the user. Depending on the app, this may occur as soon as the message is delivered, before the user actively opens it.

The vulnerability is currently being actively exploited by attackers, and Proof of Concept code exists, making it even easier for attackers to exploit the vulnerability.

The vulnerability is tracked as CVE-2023-5129 and as mentioned above, it has reached the maximum possible CVSS score of 10.0. The library is vulnerable in versions between 0.5.0 and 1.3.2.

Affected systems

The library is used both in desktop operating systems (including Windows, Linux, macOS) and in mobile devices (Android, iOS). Affected applications include:

• Basecamp 3
• Beaker (web browser)
• Bitwarden
• Brave
• CrashPlan
• Cryptocat (finished support)
• Discord
• Eclipse Theia
• FreeTube
• GitHub Desktop
• GitKraken
• Chrome
• all web browsers based on Chromium platform
• Joplin
• Keybase
• Lbry
• LibreOffice
• Light Table
• Logitech Options +
• LosslessCut
• Mattermost
• Microsoft Edge
• Microsoft Teams
• MongoDB Compass
• Mozilla
• Mullvad
• NixOS
• Notion
• Obsidian
• QQ (for macOS)
• Quasar Framework
• Shift
• Signal
• Skype
• Slack
• Suse
• Symphony Chat
• Tabby
• Termius
• TIDAL
• Tor Browser
• Twitch
• Ubuntu
• Visual Studio Code
• Vivaldi
• WebTorrent
• Wire
• Yammer
• Opera

The list of applications is not final and refers to all applications that use the library.

A huge number of Docker containers that are based on one of the distributions, in which this library is pre-installed, can also be included among those affected. However, it may not be used by the software that is running in the container. It is almost impossible for a regular container user to confirm or deny this information, and therefore we recommend caution and updating images of Docker containers.

Recommendations

Since it is a vulnerability of the library as one of the application components, every manufacturer who uses the library must implement a patched version of the library into their products.

The National Cyber Security Centre SK-CERT therefore recommends the following

• monitor information from the manufacturers of the applications you use and download and install the latest security update as soon as it is released. Check if the latest security update for the application includes a patch for the vulnerable library.
• until a security update is released for the affected applications, limit their usage and utilize alternatives that do not use the library;
• for devices with sensitive content, we recommend temporarily uninstalling instant messaging applications until the bug is fixed;
• in the event of an incident that could be related to this vulnerability, report the incident to the National Cyber Security Centre SK-CERT at [email protected].

Sources

• https://blog.isosceles.com/the-webp-0day/
• https://www.csa.gov.sg/alerts-advisories/alerts/2023/al-2023-122
• https://nvd.nist.gov/vuln/detail/CVE-2023-5129
• https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
• https://www.theregister.com/2023/09/12/chrome_browser_webp_exploit/
• https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html
• https://github.com/advisories/GHSA-hhrh-69hc-fgg7
• https://www.suse.com/security/cve/CVE-2023-5129.html
• https://www.secureblink.com/cyber-security-news/google-reclassifies-zero-day-libwebp-vulnerability-as-critical-cve-2023-5129

« Späť na zoznam