This month, the Citizen Lab at The University of Toronto’s Munk School and Apple Security Engineering and Architecture (SEA) opened two critical vulnerabilities related to WebP images and Google’s webmproject/libwebp library. 

So, what is Libwebp? 

Libwebp is a commonly used library used to render WebP images. 

WebP is a modern image format that provides superior compression for images on the web. It allows web developers to create smaller, richer images that make the web faster. WebP images are 26 percent smaller in size compared to PNGs. 

Libwebp is part of almost all modern operating systems and software platforms. This includes:

• Apple iOS and MacOS
• Google Chrome browser
• Electron Software Framework
• Debian
• CentOS
• Gentoo
• SUSE

This also impacts applications that use any of the operating systems or software platforms mentioned above. For example, Google Chrome browser and Electron Software Framework are used in numerous popular applications such as Slack, 1Password, Discord, and Microsoft Edge. 

Thousands of applications use Libwebp, and are potentially vulnerable to the latest exploit.

Proven Exploit Associated with Libwebp

Citizen Lab recently found an actively exploited zero-click vulnerability that had been exploited to deliver NSO Group’s Pegasus mercenary spyware. 

Citizen Lab published their findings on September 7th and titled the exploit chain BLASTPASS, which was capable of compromising any iPhone running iOS version 16.6 by sending PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim. 

This attack is considered a zero-day attack, requiring no interaction from the victim while being carried out. 

Apple’s Reported CVEs

Citizen Lab immediately disclosed their findings to Apple, who then issued two CVEs related to BLASTPASS.

CVE-2023-41064

Apple ImageIO remote code execution (CVE-2023-41064) affecting Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow.

CVE-2023-41061

Apple Wallet framework remote code execution (CVE-2023-41061), an Apple iOS, iPadOS, and watchOS Wallet Code Execution Vulnerability.

Apple rapidly patched these two vulnerabilities across its operating systems, including iOS, iPadOS, watchOS and numerous macOS versions (Ventura, Big Sur, Monterey).

Google’s Reported CVE

Likewise, the exploit was reported by Apple and Citizen Labs to Google, who investigated and reported on September 11th.

CVE-2023-4863

Libwebp remote code execution (CVE-2023-4863), a Chrome Heap Buffer Overflow Vulnerability in WebP, and published a patch for it. 

CVE-2023-5129 with CVSS Score 10

On September 25th, Google submitted another critical vulnerability, CVE-2023-5129 giving it a 10.0 CVSS score, the maximum possible. 

The big news here – this CVE was not limited to a specific software product or framework, but signified that Google understood the exploit went beyond Chromium and applied to the libwebp library’s overall scope, which is used by almost all modern operating systems. NVD later marked this CVE as a duplicate of Google’s original CVE-2023-4863.

Where Does Libwebp Live in Your Infrastructure? 

There are multiple areas you should check in your infrastructure to ensure that there are no Libwebp vulnerabilities that can be exploited. 

First, the vulnerability can obviously be found in the actual library. Organizations should check images to understand if they use the library, directly or indirectly. 

Nginx Uses Libwebp 

For example, the Libwebp library is by default found in every Nginx (image or package), which is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. 

Additional Indirect, Dependent Packages 

For example, the following vulnerable packages have been identified:

• Java: ImageIO, openCV, Sanselan
• Python: pillow, PIL, openCV
• Go: go-webp, go-libwebp
• Nodejs: node-webp, webp-convertor
• Ruby: MiniMagick, webp-ffi

How Do You Find Libwebp Libraries and Assess Risk in Your Environment?

Scanning for exploitable Libwebp vulnerabilities requires scanning all of your packages and their dependencies. 

To focus on the relevant resources that might be exploited, organizations should be able to answer the following questions:

• Which resources are using the libwebp library?
• Is the package loaded into memory or actively in use?
• Is the resource using the package exposed to the Internet?
• Is remote execution possible?
• Is there active ingress or egress traffic related to the resource using the package?
• Does the resource using the package have access to sensitive data?

These questions can be answered by examining a Software Bill of Materials (SBOM), a nested inventory or a list of ingredients that make up software components.

Using an SBOM, organizations can derive the needed information to understand whether a specific vulnerability in an included component impacts a product. 

Enhance Your SBOM Data to Examine Libwebp Risks

SBOM information is hard to digest, correlate and can contain a lot of operational noise.

It is recommended to leverage workloads’ runtime data to filter out information and determine which packages contain the vulnerability, are in-use and are exploitable- i.e. Internet-facing. 

Combine SBOM Data with Runtime 

Upwind uses both runtime data and an SBOM to determine risks from the Libwebp vulnerability. This is done by examining if images currently use the library, and if so, further examining if there are any library dependencies where the package is in-use.

While there may be thousands of Libwebp vulnerabilities in your environment, Upwind prioritizes those that are actually exploitable – such as being in-use, loaded into memory and/or exposed to the Internet.

Behind the scenes; a step by step guide: 

1. Extract an SBOM at runtime to get an actual view of each resource’s package state.
2. Examine the SBOM to understand which packages include the library and any package dependencies.
3. Enrich this data with runtime context to analyze each resource, determining whether the vulnerability is actually exploitable.
   This is done by understanding if the libwebp module is loaded by the OS, if the resource is exposed to the internet, and if there is active ingress and/or egress traffic.

The Vulnerability Funnel 

We’ve come up with a framework to manage and view software vulnerabilities with Upwind’s Vulnerability Funnel, which helps organizations answer these questions within seconds, automatically prioritizing the vulnerabilities that meet certain exploitability criteria. This helps organizations cut through alert noise and focus on rapidly remediating the exploitable vulnerabilities that are critical to their organization.

Once you identify your critical vulnerabilities, the next step is to identify the root cause and rapidly fix them. Upwind’s Image Overview simplifies this process, taking you to the root cause of image vulnerabilities in seconds. It does so by giving visibility into your running images, furnishing a comprehensive data set and pointing you directly to resource image utilization. 

Using runtime insights also provides a clear view of resources currently using the image, and in the case of Libwebp, can help you rapidly identify all image versions that use the Libwebp library and remediate them immediately.

Find & Fix Libwebp Vulnerabilities 

Scan your cloud infrastructure today. For further information on Libwebp vulnerabilities or for assistance identifying critical vulnerability exposure in your environment within minutes, please ping us at [email protected].