Pierluigi Paganini September 27, 2023

Google assigned a maximum score to a critical security flaw, tracked as CVE-2023-5129, in the libwebp image library for rendering images in the WebP format.

Google assigned a new CVE identifier for a critical vulnerability, tracked as CVE-2023-5129 (CVSS score 10,0), in the libwebp image library for rendering images in the WebP format.

The flaw was initially tracked as CVE-2023-4863, because researchers believed that it was only impacting the Google Chrome browser. After discovering that the issue affects every application that uses the libwebp library to process WebP images, the experts assigned a new CVE to the vulnerability.

The issue, which is actively exploited in the wild, resides in the ReadHuffmanCodes() function and may lead to a heap buffer overflow.

“With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use.” reads the advisory. “The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.“

An attacker can trigger the vulnerability using a specially crafted WebP lossless file and achieve arbitrary code execution.

The issue made the headline under another CVEs because it was actively exploited to deploy surveillance spyware, and it was tracked separately as CVE-2023-41064 and CVE-2023-4863.

In early September, researchers at Citizen Lab reported that the actively exploited zero-day flaws (CVE-2023-41064 and CVE-2023-41061) fixed by Apple are being used to infect devices with NSO Group’s Pegasus spyware. 

According to the researchers, the two vulnerabilities were chained as part of a zero-click exploit, named BLASTPASS, used in attacks on iPhones running the latest version of iOS (16.6).

Rezilion researchers reported that the scope of this vulnerability is much wider than initially assumed.

The experts identified the vulnerable library in several popular container images׳ latest versions, collectively downloaded and deployed billions of times, such as Nginx,Python,  Joomla, WordPress, Node.js, and more.

“While the vulnerability initially seems to target Chromium-based applications, now that we know better, we understand that it possesses the potential to affect a much wider range of software and applications relying on the ubiquitous libwebp package for WebP codec functionality.” reads the analysis published by Rezilion. “This package stands out for its efficiency, outperforming JPEG and PNG in terms of size and speed. Consequently, a multitude of software, applications, and packages have adopted this library, or even adopted packages that libwebp is their dependency, creating a complex challenge when attempting to identify vulnerable systems. The sheer prevalence of libwebp extends the attack surface significantly, raising serious concerns for both users and organizations.”

Rezilion pointed out that the issue potentially affects millions of different applications worldwide.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-5129)