Firms have been releasing advisories addressing the influence of an actively exploited Libwebp vulnerability tracked as CVE-2023-4863 and CVE-2023-5129 on their merchandise.
The 2 CVEs have been assigned to the identical vulnerability, however the latter was rejected shortly.
In early September, Apple introduced patching a zero-day tracked as CVE-2023-41064, which will be exploited for arbitrary code execution utilizing specifically crafted photos. The flaw had been leveraged as a part of a zero-click exploit named BlastPass to ship Pegasus adware to iPhones.
A number of days later, Google and Mozilla additionally introduced updates for Chrome and Firefox, saying that an actively exploited flaw, which they each monitor as CVE-2023-4863, impacts the WebP part of their browsers.
Whereas Apple and Google assigned completely different CVE identifiers, the timing means that it’s the identical bug or at the least a associated challenge. Alternatively, whereas CVE-2023-4863 has been reportedly exploited, there aren’t any particulars about assaults concentrating on software program aside from Apple’s iOS.
WebP is a picture format developed by Google that’s supplied as a greater different to JPEG, PNG and GIF because of the smaller file dimension, which leads to internet pages loading a lot sooner. Purposes can help the WebP format utilizing a library referred to as Libwebp.
Google at one level determined to assign a brand new CVE identifier, CVE-2023-5129, to spotlight the influence on Libwebp, however the tech big shortly rejected the brand new CVE, marking it as a reproduction of CVE-2023-4863.
“Google has not confirmed why it rejected the vulnerability. Nevertheless, primarily based on the truth that a number of distributors have already adopted CVE-2023-4863 because the CVE identifier when patching libwebp, it seemingly didn’t make sense to assign a brand new CVE for this versus increasing the influence of the unique CVE,” Tenable’s Satnam Narang wrote in a weblog submit that makes an attempt to make clear the hyperlink between the a number of CVEs.
Some members of the cybersecurity business nonetheless imagine separate identifiers ought to have been assigned to Chrome and the Libwebp library.
Libwebp is extensively used, being current in all main internet browsers, Linux distributions, the Electron framework, and purposes akin to Telegram and 1Password. Firms have began releasing advisories addressing the influence of CVE-2023-4863 on their merchandise.
Palo Alto Networks mentioned on Tuesday that its PAN-OS software program does use the Libwebp library, nevertheless it “doesn’t supply any eventualities required for the profitable exploitation of this vulnerability and isn’t impacted”.
1Password additionally confirmed being impacted as a consequence of using Chrome parts, however mentioned it’s not conscious of any assaults concentrating on its clients.
“An attacker who is ready to present photos within the WebP format to a sufferer utilizing the 1Password app is ready to carry out a heap buffer overflow. The attacker can use this as a beginning off level to attain distant code execution or steal secrets and techniques from the opposite consumer’s machine,” the corporate defined. “1Password solely exhibits photos supplied by different customers within the account, within the type of icons or avatars. Because of this, an attacker must share an account with a sufferer to carry out the assault.”
Advisories have additionally been revealed by MSP platform Syncro, enterprise app supplier Progress (Sitefinity), software program intelligence firm Dynatrace (Artificial), and information administration agency NetApp (Lively IQ Unified Supervisor).
Microsoft additionally revealed an advisory on Tuesday to tell clients that CVE-2023-4863 impacts Edge, Groups for Desktop, Skype for Desktop, and Webp Picture Extensions.
Microsoft’s advisory additionally addresses CVE-2023-5217, a special vulnerability, which impacts the Libvpx video code library. CVE-2023-5217, which has additionally been exploited within the wild, was patched in late September by Google and Mozilla. Microsoft has additionally patched the difficulty in its Edge browser.
CISA on Wednesday added CVE-2023-5217 to its identified exploited vulnerabilities catalog.
