Google LibWebP code execution vulnerability
This live blog contains information regarding a vulnerability in Google LibWebP. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 2, 2023.
T-Update
This live blog contains information regarding a vulnerability in Google LibWebP. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 2, 2023.
Update 2 October 2023
16:30 | On the 25th of September, Google published CVE-2023-5217 describing a vulnerability in LibWebP. Earlier in September Apple and Google respectively published CVE-2023-4863 and CVE-2023-41064 describing the same problem in the library. CVE-2023-5217 is considered a duplicate of CVE-2023-4863 and had a CVSS score assigned of 10, which is considered (too) high. CVE-2023-5217 was rejected as a duplicate on the 27th of September.
LibWebP is a library maintained by Google and is used for image processing. The vulnerability can lead to arbitrary code execution on the system, but the abilities for exploitation and the impact depend on how the library is used by the application.
Exploitation of the vulnerable library has been detected for the implementation in Apple products and the Google Chrome browser. It is advised to create an overview of software using the vulnerable LibWebP library and apply patches when available.
Background
On the 25th of September, Google published CVE-2023-5217 describing a vulnerability in LibWebP. Earlier in September Apple and Google respectively published CVE-2023-4863 and CVE-2023-41064 describing the same problem in the library. CVE-2023-5217 is considered a duplicate of CVE-2023-4863 and had a CVSS score assigned of 10, which is considered (too) high. CVE-2023-5217 was rejected as a duplicate on the 27th of September. LibWebP is a library maintained by Google and is used for image processing. The vulnerability can lead to arbitrary code execution on the system, but the abilities for exploitation and the impact depend on how the library is used by the application. Exploitation of the vulnerable library has been detected for the implementation in Apple products and the Google Chrome browser. It is advised to create an overview of software using the vulnerable LibWebP library and apply patches when available.
Risk
The vulnerability CVE-2023-5217 has a CVSS score of 10. This vulnerability is considered a duplicate of CVE-2023-4863 and the CVSS score is disputed. The CVSS scale runs from 0 to 10.
A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The vulnerabilities registered as CVE-2023-5217, CVE-2023-4863 and CVE-2023-41064 can allow an attacker to execute code on the system running the LibWebP library. The ability and impact of exploitation of the vulnerability depends on how the library is used.
Exploits of CVE-2023-4863 in the Google Chrome browser and CVE-2023-41064 in Apple products have been observed in the wild. Both vendors have released software updates mitigating the vulnerability.
Advice
Vulnerability CVE-2023-4863 in the Google Chrome browser exists in the following versions:
- versions prior to 116.0.5845.187 and LibWebP 1.3.2.
The advice is to upgrade to Google Chrome browser version 116.0.5845.187 or later.
Vulnerability CVE-2023-41064 which exists in several Apple products affects the following products and versions:
- iOS prior to 15.7.9
- iOS prior to 16.6.1
- iPadOS prior to 15.7.9
- iPadOS prior to 16.6.1
- macOS Big Sur prior to 11.7.10
- macOS Monterey prior to 12.6.9
- macOS Ventura prior to 13.5.2
Apple has released software updates; the advice is to upgrade to at least the fixed versions.
For other applications it is advised to create an overview of software using the LibWebP vulnerability and apply patches when available.
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Sources
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
