CVE-2023-4863 is a critical vulnerability in libwebp, and CVE-2023-5217 is a high severity vulnerability in libvpx, both reportedly exploited in the wild. Both are mainly client side vulnerabilities and thus unlikely to be exploitable on most affected cloud workloads other than virtual desktops and servers that handle images or video. Customers should therefore prioritize patching these cases as well as vulnerable instances detected in build environments.
What is CVE-2023-4863?
Background
On September 11th, 2023, a vulnerability was assigned CVE-2023-4863 that reportedly only affected Chrome. More specifically, it was described as a heap buffer overflow in WebP in Chrome, allowing a remote attacker to perform an out of bounds memory write via a crafted HTML page.
However, further research revealed that the root cause of this vulnerability was in fact a bug in the WebP Codec image rendering library (libwebp). The WebP Codec library is a library used to encode and decode images in WebP format, and is not unique to Chrome but rather utilized by Chromium and incorporated in many other applications. These include other browsers like Firefox as well as Chromium-based components such as Electron, which is utilized in turn by many other popular client-side apps (e.g., Slack, Signal and Telegram). Additionally, it has been speculated that the same bug was the cause of an iOS and iPadOS vulnerability assigned CVE-2023-41064, also known as BLASTPASS.
Following these developments, on September 26th, 2023, the vulnerability affecting WebP itself was assigned CVE-2023-5129, but two days later (on September 28th, 2023), CVE-2023-5129 was rejected by MITRE for being a duplicate of CVE-2023-4863. As a result, the industry seems to have firmly settled on using CVE-2023-4863 to refer to this libwebp vulnerability.
Technical details
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.
What is CVE-2023-5217?
Background
On September 29, 2023, a vulnerability was assigned CVE-2023-5217 that reportedly only affected Chrome and was described as a heap buffer overflow in libvpx in Chrome.
However, similar to the case of CVE-2023-4863, further details emerged revealing that the root cause for CVE-2023-5217 was in fact a flaw in the libvpx codec library itself, which serves as the reference software implementation for the VP8 and VP9 video coding formats, and is not unique to Chrome but rather incorporated in many other applications as well.
Technical details
A specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. No further details have been published as of October 1, 2023.
What sort of exploitation has been identified in the wild?
While both vulnerabilities have been reportedly exploited in the wild, no concrete details about the corresponding malicious activity have been published as of October 1, 2023. If the reported overlap between CVE-2023-4863 and CVE-2023-41064 turns out to be correct, then BLASTPASS would currently be the only publicly known campaign exploiting the relevant flaw in libwebp.
Which products are affected?
CVE-2023-4863
All WebP Codec library (libwebp) versions from 0.5.0 before 1.3.2 are affected.
Additionally, various Linux distributions have released advisories and patches addressing CVE-2023-4863.
Furthermore, the following products utilizing the library are known to be affected as well:
CVE-2023-5217
All libvpx Codec library versions before 1.13.1 are affected.
We expect various dependent products to release advisories for CVE-2023-5217, and will add them to this section as new information comes to light.
The following products utilizing the library are currently known to be affected:
Which actions should security teams take?
Client applications (such as Chrome, Signal or Telegram), which in cloud environments would typically be running on virtual desktops, should be patched as soon as possible, as should any server-side applications that are likely to handle images or videos, and vulnerable instances in build environments (as these might make their way into deployed products or services).
Other than the above cases, patching the vast majority of vulnerable instances on servers can be deprioritized.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment, or the Wiz-CLI to scan images for the vulnerabilities before they're deployed.
