Security alert: zero-day vulnerability CVE-2023-4863 in libwebp (WebP) library

· 1 MIN READ · TUCKER MORAN · SEP 28, 2023 · TAGS: Alert

What happened?

A newly discovered zero-day vulnerability in a web application library (libwebp) can result in arbitrary command execution when exploited. The vulnerability, CVE-2023-4863, is a heap-based buffer overflow vulnerability in the libwebp library, which is used to decode and encode WebP image files. Software using libwebp versions from 0.5.0 to 1.3.2 may be affected.

This vulnerability was originally tracked as CVE-2023-4863 and assigned specifically to Google Chrome. However, the underlying vulnerability itself lies within the libwebp library and consequently affects multiple products that utilize vulnerable versions of the library. To address this scope change, the CVE numbering authority initially added CVE-2023-5129. To reduce confusion, the CVE authority rejected the new CVE designation on September 27, so now CVE-2023-4863 is the only way to track the vulnerability.

Why does it matter?

Many websites and applications leverage the WebP library, meaning the impact of this vulnerability has a far and wide reach (see below for some popular examples). An attacker can exploit the vulnerability by using a specially crafted WebP file that can result in crashes or arbitrary command execution. This could allow an attacker to gain control of an affected system or steal sensitive data.

What are we doing for our customers?

Expel’s Detection and Response team is continuing to monitor for any activity associated with the vulnerability and we will continue to assess any potential threat hunting opportunities.

Expel’s Vulnerability Prioritization (VP) team has notified our customers, who had multiple instances of CVE-2023-4863 vulnerabilities and impacted assets. Additionally, Expel VP also provided communication to each customer that we had vulnerability visibility to their CVE-2023-4863 risk.

What should you do right now?

The full scope of affected products is still unknown. However, many vendors have already begun releasing patches applying the necessary fixes. Where available, patch all affected software that utilizes libwebp versions 0.5.0 to 1.3.2.

Thousands of applications are potentially affected. Popular examples include:

  • Google Chrome
  • Microsoft Edge
  • Mozilla FireFox
  • Safari
  • Multiple professional and personal messaging apps and email platforms
  • Free online image processing and office software

Strategically, we recommend using scanner tools to identify impacted software. Specifically look for CVE-2023-4863.

What next?

We’ll update this post with any big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.