Full Report
Delving into CVE-2023-4863 and CVE-2023-5217 - critical vulnerabilities in libwebp and libvpx exploited in the wild.
Analysis Summary
# Vulnerability: Multiple Codec Library Flaws (libwebp Out-of-Bounds Write and libvpx Heap Overflow)
## CVE Details
- CVE ID: CVE-2023-4863 (libwebp) and CVE-2023-5217 (libvpx)
- CVSS Score: N/A (Severity for CVE-2023-4863 is Critical; CVE-2023-5217 is High)
- CWE: Associated with Heap Buffer Overflow/Out-of-Bounds Write
## Affected Systems
- **CVE-2023-4863 (libwebp):**
- Products: libwebp (WebP Codec library), Chrome, Firefox, Thunderbird, Edge, Brave, Tor Browser, Opera, Vivaldi, Electron, Signal, Telegram, Honeyview, Obsidian, 1Password.
- Versions: All libwebp versions from `0.5.0` before `1.3.2`.
- **CVE-2023-5217 (libvpx):**
- Products: libvpx (VP8/VP9 codec library), Chrome, and other dependent applications.
- Versions: All libvpx versions before `1.13.1`.
- **Configurations:** Primarily client-side vulnerabilities, but exploitable on server workloads handling images/video (e.g., VDI environments).
## Vulnerability Description
**CVE-2023-4863 (libwebp):** This is a heap buffer overflow/out-of-bounds write flaw in the WebP Codec library (`libwebp`). When processing a specially crafted WebP lossless file, the `BuildHuffmanTable()` function attempts to write data to a second-level table array that may be undersized, leading to an Out-of-Bounds (OOB) write to the heap during execution of the `ReplicateValue()` function.
**CVE-2023-5217 (libvpx):** This is a heap buffer overflow vulnerability in the `libvpx` codec library when handling a specifically controlled VP8 media stream within the content process.
## Exploitation
- **Status:** Both vulnerabilities have been **Exploited in the wild**. CVE-2023-4863 is potentially linked to the BLASTPASS campaign exploiting CVE-2023-41064 on iOS/iPadOS.
- **Complexity:** Described as client-side vulnerabilities requiring crafted data (HTML page or media stream).
- **Attack Vector:** Typically Network, requiring user interaction (loading a malicious file/page).
## Impact
Impact for both is severe due to potential remote code execution arising from memory corruption:
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **CVE-2023-4863 (libwebp):** Update to libwebp version **1.3.2** or later. Affected applications (Chrome, Firefox, etc.) have released specific updates addressing the underlying library flaw.
- **CVE-2023-5217 (libvpx):** Update to libvpx version **1.13.1** or later.
### Workarounds
Patching client applications (browsers, Electron apps) and server infrastructure likely processing untrusted media is the highest priority. Deprioritization of patching non-media handling servers may be considered, except for build environments.
## Detection
- **Indicators of Compromise:** Related to memory corruption artifacts or unexpected process termination/behavior following the processing of WebP or VP8/VP9 data.
- **Detection Methods and Tools:** Customers using specific security tools (e.g., Wiz) can use pre-built queries to locate vulnerable instances. Scanning build images before deployment is recommended.
## References
- Google advisory for CVE-2023-4863: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
- Mozilla advisory for CVE-2023-4863: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
- GitHub advisory for CVE-2023-4863: https://github.com/advisories/GHSA-j7hp-h8jx-5ppr
- Google advisory for CVE-2023-5217: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
- libvpx release for fix: https://github.com/webmproject/libvpx/releases/tag/v1.13.1
- Apple advisory for related flaw (CVE-2023-41064): https://support.apple.com/en-us/HT213905