Skip to content
Twitter

A Vulnerability With a Long Tail - libwebp

CVE-2023-4863 err... CVE-2023-5129... or is it?

UPDATE: NVD has rejected the new CVE (CVE-2023-5129) as a duplicate of the original (CVE-2023-4863). It is my belief that Google was re-submitting due to the confusion surrounding the initial CVE when practicioners were discovering the impacts across far more areas than just the Chromium that it was initially reported under

WebP

This vulnerability, initially reported by Google as a Chrome vulnerability as opposed to a vulnerability in the open-source libwebp library used to encode/decode WebP images, has now had a new CVE ID assigned to it.

Why?

Because the risk on this vulnerability extends MUCH further than being handled by a Chrome update. This vulnerability affects any software that utilizes the WebP codec. This includes every major browser as well as many popular applications and operating systems including:

  • 1Password
  • Basecamp
  • Bitwarden
  • Discord
  • GitHub Desktop
  • Microsoft Teams
  • Signal
  • Skype
  • Slack
  • Twitch
  • Ubuntu
  • Visual Studio Code
  • And Many More...

The list continues to grow every day. This will likely be used as a reference for years to come on some of the potential failures that can occur within the vulnerability management process.

Discovery & Remediation

While the full impact of this vulnerability still seems to be expanding, you can ensure that you are using this as an opportunity to begin or expand your asset discovery. Software Bill of Materials (SBOM) is being talked about regularly, and this is very much the reason why.

Without having an accurate inventory of what pieces of the puzzle make up your software, you are at the mercy of the vendor who supplied that software.

Another step which can be taken during this time is the review and implementation of minimal images - only build with exactly what is needed and nothing more. Much like the idea of least privilege when it comes to file and access permissions - you only want to give the image the bare minimum it needs to be successful to reduce your exposure footprint.

Remediating this vulnerability will require any piece of software or operating system utilizing webmproject/libwebp from versions 0.5.0 -> 1.3.1 to be forced to utilize 1.3.2 or newer.

Many of the largest vendors have already released fixes for their vulnerable software, so this takes me to the next phase - patch, patch, and patch some more.