A zero-day vulnerability (CVE-2023-5129) in the WebP image library is being actively exploited, putting major browsers and scores of additional apps at risk.
NOTE: NinjaOne is NOT impacted by this vulnerability.
Ok, what’s happening?
On Wednesday, September 27, Google issued a vulnerability tagged as CVE-2023-5129 and gave it a base score of 10.0. That’s as bad as it gets, and underscores the threat and seriousness of the flaw.
What is CVE-2023-5129?
CVE-2023-5129 is a heap buffer overflow flaw in the WebP image format. In particular, in the way it provides lossless compression for images on the web (using WebP allows web developers to create smaller images that still look great, making browsing faster). We won’t get into the nitty gritty details here, but you can find more info on heap buffer overflow flaws in general, and on the issue with libwebp library’s “BuildHuffmanTable” function, specifically, in this post from Alex Ivanovs at StackDiary.
Of note: this vulnerability was originally tracked as CVE-2023-4863, and attributed only to Chrome. The new CVE was issued to clarify that the flaw actually applies to a much more expansive number of apps (partial list below).
How bad is CVE-2023-5129?
Unfortunately, very (hence the 10.0 CVSS). For three different reasons:
- The impact is extremely broad: The vulnerability affects any software that utilizes the WebP codec. That includes major browsers like Chrome, Firefox, Safari, and Edge, but, as mentioned, also a host of additional apps (partial list below). Admins still experiencing PTSD from log4j are once gain reconsidering their life choices.
- The impact of exploitation is extremely serious: Successful exploitation could potentially result in attackers taking control of a system, executing arbitrary code, and accessing sensitive user data.
- Attackers are already actively exploiting it: Earlier this month (September 11), Google acknowledged that CVE-2023-4863 was being exploited in the wild. In addition, the flaw has been linked to Citizen Lab’s September 7 “BLASTPASS” report disclosing a zero-click, zero-day iPhone exploit captured in the wild.
What apps are affected by CVE-2023-5129?
NOTE: NinjaOne is NOT impacted by this vulnerability.
Update Sept 28: Security professional Michael Taggart has created a large list of apps he’s continuously updating here. There are currently 744 with 165 confirmed vulnerable.
Numerous apps employ WebP image handling via libwebp. As reported at cyberkendra.com, “since the codec is build into Android, all native browser apps on Android devices are affected.”
But the list expands from there. They also point out that, according to a list compiled on Wikipedia, the following application uses WebP codec:
- 1Password
- balenaEtcher
- Basecamp 3
- Beaker (web browser)
- Bitwarden
- CrashPlan
- Cryptocat (discontinued)
- Discord
- Eclipse Theia
- FreeTube
- GitHub Desktop
- GitKraken
- Joplin
- Keybase
- Lbry
- Light Table
- Logitech Options +
- LosslessCut
- Mattermost
- Microsoft Teams
- MongoDB Compass
- Mullvad
- Notion
- Obsidian
- QQ (for macOS)
- Quasar Framework
- Shift
- Signal
- Skype
- Slack
- Symphony Chat
- Tabby
- Termius
- TIDAL
- Twitch
- Visual Studio Code
- WebTorrent
- Wire
- Yammer
What apps have patches for CVE-2023-5129 available?
Cyberkendra.com is also compiling a helpful list of vendors that have pushed patches for this vulnerability, and will be actively updating it:
- Google Chrome – Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188.
- Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2
- Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac].
- Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31.
- Tor Browser – version 12.5.4.
- Opera – version 102.0.4880.46.
- Vivaldi – version 6.2.3105.47.
- 1Password — version 8.10.15
- Bitwarden
- LibreOffice
- Suse
- Ubuntu
- LosslessCut
- NixOS – Nix package manager
What can admins do now to protect their networks?
With all the attention this is bound to get, and with active exploitation already confirmed, it’s highly recommended to patch vulnerable apps (and confirm patches have been applied) as soon as possible once updates are available.
Unfortunately, the full scope of affected applications is yet to be determined, and you can’t patch an app if you don’t know it’s vulnerable or if a patch isn’t available. Hopefully, additional vendors will be providing more information and clarity soon.
In the meantime…
How to identify vulnerable apps using NinjaOne
Until we know the full scope of vulnerable applications to become more clear, IT pros can at the very least search their networks for devices running outdated versions of apps that have been patched. In this video, NinjaOne Product Lead Gavin Stone walks through how NinjaOne users can do exactly that by utilizing the software inventory filter:
Additional links and resources
- National Vulnerability Database CVE-2023-5129 listing
- Discussion on r/sysadmin
- WebP 0day: Google Assign New CVE for libwebp Vulnerability (cyberkendra.com)
- Critical WebP Bug: Many Apps, Not Just Browsers, Under Threat (StackDiary)
- The WebP 0day (Ben Hawkes)
- BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild (The Citizen Lab)
