Google has awarded a new CVE identifier to a major security flaw in the libwebp image library, which is used to produce images in the WebP format and has been actively exploited in the wild.
CVE-2023-5129 has been assigned the maximum severity score of 10.0 on the CVSS rating system. It’s been described as a problem with the Huffman coding algorithm –
libwebp may write data out of limits to the heap when using a carefully constructed WebP lossless file. The ReadHuffmanCodes() function allocates a HuffmanCode buffer of size kTableSize from an array of precomputed sizes. The color_cache_bits value specifies the size to be used. The table size array only considers sizes for 8-bit first-level table lookups and does not consider sizes for second-level table lookups. libwebp supports up to 15-bit codes (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() tries to fill the second-level tables, data may be written out of bounds. ReplicateValue is where the OOB write to the undersized array occurs.
The news follows the release of solutions by Apple, Google, and Mozilla to address an issue – listed separately as CVE-2023-41064 and CVE-2023-4863 – that might lead to arbitrary code execution when processing a specially constructed image. Both issues are thought to be related to the same fundamental problem in the library.
According to Citizen Lab, CVE-2023-41064 was linked with CVE-2023-41061 as part of the BLASTPASS zero-click iMessage exploit chain to deliver mercenary malware known as Pegasus. Additional technical information is presently unavailable.
However, the choice to “wrongly scope” CVE-2023-4863 as a vulnerability in Google Chrome obscured the fact that it also affects practically every other program that uses the libwebp library to process WebP pictures, implying that it had a greater impact than previously thought.
Last week, Rezillion discovered a slew of widely used apps, code libraries, frameworks, and operating systems that are vulnerable to CVE-2023-4863.
“This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed,” according to the business. “Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency.”
“The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations.”
With the release of version 15572.50.0 (browser version 117.0.5938.115), Google updated remedies for CVE-2023-4863 to cover the Stable channel for ChromeOS and ChromeOS Flex.
It also follows new information released by Google Project Zero about commercial spyware vendors exploiting CVE-2023-0266 and CVE-2023-26083 in the field in December 2022 to target Android devices from Samsung in the UAE and acquire kernel arbitrary read/write access.
The holes are thought to have been used in conjunction with three other flaws – CVE-2022-4262, CVE-2022-3038, and CVE-2022-22706 – by a customer or partner of Variston IT, a Spanish spyware outfit.
“It’s also worth noting that this attacker used multiple bugs from kernel GPU drivers to create an exploit chain,” security researcher Seth Jenkins stated. “These third-party Android drivers have varying degrees of code quality and regularity of maintenance, and this represents a notable opportunity for attackers.”