Cheat Sheet for WebP (libwebp library) 0-day Vulnerability
Daniel Abeles
Head of Research
Brandon Hoe
VP of Marketing
🚨!!BREAKING: The potential impact of CVE-2023-4863 extends far beyond just the Chrome browser, resulting in CVE-2023-5129* being rejected by its CVE Numbering Authority because it’s been deemed a duplicate of CVE-2023-4863, which is currently undergoing reanalysis.
What is libwebp?
libwebp is a library that processes images using the .webp format
It was created by Google >10 years ago
libwebp is used in most applications that render .webp images
It’s a 0-day vulnerability that allows attackers to perform a remote code execution (RCE) on target systems
It is a vulnerability that has been exploited in the wild
Who does it affect, and how widespread is the impact?
libwebp is used in many browsers, including Chrome, Firefox, Brave, Edge, Tor and Opera
It’s used in critical applications such as 1Password and Signal, among others
It is a dependency for common open source libraries such as the famous python image processing library “pillow”
It’s pre-installed in many popular container images such as Python, Node.js, nginx, grafana, joomla, and Wordpress
What you can do to alleviate your concerns
Perform an inventory of your packages to ascertain whether any of them use libwebp as a dependency
Filter out those that are not loaded and used at runtime and prioritize remediation efforts on those that are. A tool like Oxeye can help. The screen caps below show how we can trace the path of the vulnerability from the Internet to the service where the library is used, and also show that the package is loaded and used at runtime. Oxeye will also note if this is a toxic combination of a vulnerable app deployed on mis-configured, high-risk cloud infrastructure, as seen in the second image
Brew coffee, grab a bite to eat, and start remediation efforts by updating any instance of the libwebp library in your environment to the latest version, and keeping tabs on the affected packages in your applications to make sure they’re updated to patched versions
Cheat Sheet for WebP (libwebp library) 0-day Vulnerability
Daniel Abeles
Head of Research
Brandon Hoe
VP of Marketing
🚨!!BREAKING: The potential impact of CVE-2023-4863 extends far beyond just the Chrome browser, resulting in CVE-2023-5129* being rejected by its CVE Numbering Authority because it’s been deemed a duplicate of CVE-2023-4863, which is currently undergoing reanalysis.
What is libwebp?
libwebp is a library that processes images using the .webp format
It was created by Google >10 years ago
libwebp is used in most applications that render .webp images
It’s a 0-day vulnerability that allows attackers to perform a remote code execution (RCE) on target systems
It is a vulnerability that has been exploited in the wild
Who does it affect, and how widespread is the impact?
libwebp is used in many browsers, including Chrome, Firefox, Brave, Edge, Tor and Opera
It’s used in critical applications such as 1Password and Signal, among others
It is a dependency for common open source libraries such as the famous python image processing library “pillow”
It’s pre-installed in many popular container images such as Python, Node.js, nginx, grafana, joomla, and Wordpress
What you can do to alleviate your concerns
Perform an inventory of your packages to ascertain whether any of them use libwebp as a dependency
Filter out those that are not loaded and used at runtime and prioritize remediation efforts on those that are. A tool like Oxeye can help. The screen caps below show how we can trace the path of the vulnerability from the Internet to the service where the library is used, and also show that the package is loaded and used at runtime. Oxeye will also note if this is a toxic combination of a vulnerable app deployed on mis-configured, high-risk cloud infrastructure, as seen in the second image
Brew coffee, grab a bite to eat, and start remediation efforts by updating any instance of the libwebp library in your environment to the latest version, and keeping tabs on the affected packages in your applications to make sure they’re updated to patched versions
BAC%20copy%203%403x.png)