Google lipwebp Zero-day

Google released a security fix for a critical vulnerability that affected Google Chrome for Windows, macOS, and Linux. The vulnerability was given the CVE ID as CVE-2023-4863 and has been given a severity of 8.8 (High).

On analyzing the vulnerability, it was discovered that a heap buffer overflow vulnerability existed in the libwebp library that a threat actor can exploit to perform out-of-bounds memory write via a crafted HTML page.

EHA

However, this vulnerability was resubmitted by Google, which is now tracked as CVE-2023-5129. It was later found that CVE-2023-41064 and this vulnerability were similar and affected the same libwebp library. 

Threat actors exploited this particular library during the BLASTPASS exploit chain attack for deploying the NSO’s Pegasus Spyware. Though both of these vulnerabilities had different CVE IDs and were released by different vendors, they both affect the same library.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Relation between CVE-2023-5129, CVE-2023-4863 & CVE-2023-41064

CVE-2023-4863 was a heap buffer overflow vulnerability in the libwebp package of WebP codec. This condition occurs when data is written surpassing the allocated boundaries of the memory heap, potentially leading to a denial of service condition or arbitrary code execution. 

The libwebp package of WebP codec is used for encoding and decoding images in WebP format. On exploring further, both of these vulnerabilities actually arise from the same underlying issue.

The CVE-2023-41064 was referenced as a zero-click exploit and was exploited by threat actors in the wild by the BLASTPASS exploit chain for compromising iPhones running version 16.6. By exploiting this vulnerability, threat actors deployed the NSO’s Pegasus Spyware. 

Furthermore, CVE-2023-5129 has been submitted by Google. Instead of mentioning Google Chrome as the affected vendor, libwebp has been submitted. As per this CVE, libwebp could write data out-of-bounds to the heap using a lossless WebP file. The severity of this vulnerability has been given as 10.0 (Critical) by NVD.

Technical Details

The kTableSize (precomputed size array) only takes sizes for 8-bit first-level table lookups but does not consider the second-level table. libwebp can allow codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH).  When BuildHuffmanTable() tries to fill the second-level tables, it leads to writing data out-of-bounds which is written to the ReplicateValue.

Additionally, the vulnerabilities CVE-2023-41064 & CVE-2023-4863 were reported by the same security researcher, which means that the researcher reported this vulnerability to both companies, which resulted in two separate CVEs previously.

Rezilion has published a complete report for CVE-2023-4863 and CVE-2023-5129, which provides detailed information about the products that use the libwebp package and other libraries that are affected by this libwebp package issue.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.