Google has discovered a critical security flaw in the widely used libwebp image library. This flaw [1] [2] [3] [4], known as CVE-2023-5129 [3], allows attackers to execute arbitrary code through a heap buffer overflow. It has a severity score of 10.0 on the CVSS rating system and is actively being exploited [4]. Major tech companies like Apple, Google [3] [4], and Mozilla have released fixes for similar vulnerabilities [4], indicating a broader impact of this flaw [4].
Description
The vulnerability affects versions 0.5.0 to 1.3.2 of the libwebp library and has been resolved in version 1.3.2. It is similar to previous vulnerabilities such as CVE-2023-41064 and CVE-2023-4863. This flaw has gained attention due to its active exploitation in the wild. Furthermore, the libwebp library has been targeted by commercial spyware vendors in the past, with exploits like CVE-2023-0266 and CVE-2023-26083 being used to target Android devices in the U.A.E. and gain kernel arbitrary read/write access [4]. These exploits were part of a larger exploit chain that included other vulnerabilities [4].
Conclusion
To protect against this critical flaw, it is crucial for users and organizations to regularly update their systems and software. Vulnerability scanners can now automatically detect and remediate the vulnerability [2]. Additionally, macOS users have been provided with a shell command to identify apps based on vulnerable Electron versions. The fact that major tech companies have released fixes for similar bugs highlights the broader impact of this vulnerability. It is important to remain vigilant and take necessary precautions to mitigate the risks associated with this flaw.
References
[1] https://vulners.com/redhatcve/RH:CVE-2023-5129
[2] https://www.helpnetsecurity.com/2023/09/27/cve-2023-5129/
[3] https://www.scmagazine.com/news/google-identifies-heap-buffer-overflow-in-webp-library
[4] https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html
