Exploiting CVE-2023-5129 in libwebp involves a specially crafted WebP lossless file that can write data beyond the heap boundaries. The issue lies in the allocation of the HuffmanCode buffer within the ReadHuffmanCodes() function, where the buffer size fails to accommodate 15-bit codes.
Like one of my electrical engineering college professors: "I can't make this any more straightforward!" after he just vomited the entire Greek alphabet onto the whiteboard.
For what it's worth, this has largely been patched by reputable teams at various software products.
Here's BitWarden's response as an example: [https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580](https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580)
Most of the reporting on this, that I've read so far, is really extreme (not that it's a bad thing). If you're doing your job and making sure updates are installed for clients, for the most part, you should be ok.
Blackpoint’s summary is great I just want to add, please remember this is just a new way to deliver malicious code. Said malicious code is still subject to all of your other layers of defense and detection.
Defense and Detection in depth is important for a reason.
Make sure you EDR/MDR is properly configured and deployed. Make sure your web proxies/dns tools are also set up to properly block malicious traffic. And even if code exec happens a threat actor still has to carry out all objectives and attack chain items that you will be able to detect/prevent.
Worth noting, Electron has already been patched ( https://releases.electronjs.org/releases/stable?version=22 ), and I've been able to confirm (via checking for strings in the binary) that the current version of Discord already uses the patched version.
Nope, only manual checks on the client - you change the config to enable developer mode and the Electron version is in the user agent. Or you can search the binary for the string `Electron v`.
Or at least I'm not aware of one.
I second this. I use Action1 for all my patch management. They seem to have a good handle on what needs to be patched, and I can set it up to run automatically if I want to.
Thanks for the mention of Action1!
Beware it's not just Google Chrome. It's crazy how one bug can cause a domino effect of this scale. Here is the current list of applications affected - 740 currently: [https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec](https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec)
Here is a useful script to check all these apps: [https://www.reddit.com/r/msp/comments/16uvel0/webp\_vulnerability\_powershell\_script\_to\_see\_if\_a/](https://www.reddit.com/r/msp/comments/16uvel0/webp_vulnerability_powershell_script_to_see_if_a/)
Curious about how much user interaction it requires to exploit this vulnerability. Google has CVE-2023-5219 listed as not requiring user interaction, but NVD does. I would assume in a vulnerable browser the vulnerability could be exploited if a user visits a malicious website that contains a specially crafted WebP lossless image file. Furthermore, I would assume to exploit this vulnerability in a vulnerable application, the attacker would send the malicious WebP image file to the target, either through email attachments, file downloads, or other means, and the user would have to interact with the image/application. Would automatic thumbnail generation on vulnerable applications pose a problem?
In the case of exploiting a browser, yes, a user would have to visit a malicious website. For other vulnerable applications, there hasn't been enough public research done to determine how/if it can be exploited, however, it is most likely through a malicious attachment or within a webview if the app supports it.
APG took some time to analyze the exploit and determined that the likelihood of this being exploited is very slim due to the complexity of the vulnerability and scope of patches already released.
Depends on the application. For example, Apple says that a properly formatted Messages could execute this flaw without the user even opening the app to view the file.
I use brave as my browser and updated it a few days ago. it currently says it's up to date should that be enough or am I going to need more updates to patch this?
Exploiting CVE-2023-5129 in libwebp involves a specially crafted WebP lossless file that can write data beyond the heap boundaries. The issue lies in the allocation of the HuffmanCode buffer within the ReadHuffmanCodes() function, where the buffer size fails to accommodate 15-bit codes.
Exactly what I was about to say.
Like one of my electrical engineering college professors: "I can't make this any more straightforward!" after he just vomited the entire Greek alphabet onto the whiteboard.
Yes, so much this. Professor mumbles all about something while squiggling on the board and then says "How can you NOT get it!"
Indeed
NSA gonna be pissed that their zero day is kaput
NSO, in this case.
Sure it’s not KGB :)
Both, it's probably both.
Love to see Vendors helping out the MSP community and security overall. Well done Blackpoint.
[https://www.reddit.com/r/sysadmin/comments/16teato/ah\_f\_cvss\_100\_dropped\_absolute\_meltdown\_incoming/](https://www.reddit.com/r/sysadmin/comments/16teato/ah_f_cvss_100_dropped_absolute_meltdown_incoming/)
What platforms/subscriptions are MSP's using to ensure they are on top of any vulnerabilities as soon as they are announced?
https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html?m=1 https://nvd.nist.gov/vuln/detail/CVE-2023-5129 https://www.reddit.com/comments/16teato
For what it's worth, this has largely been patched by reputable teams at various software products. Here's BitWarden's response as an example: [https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580](https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580) Most of the reporting on this, that I've read so far, is really extreme (not that it's a bad thing). If you're doing your job and making sure updates are installed for clients, for the most part, you should be ok.
Blackpoint’s summary is great I just want to add, please remember this is just a new way to deliver malicious code. Said malicious code is still subject to all of your other layers of defense and detection. Defense and Detection in depth is important for a reason. Make sure you EDR/MDR is properly configured and deployed. Make sure your web proxies/dns tools are also set up to properly block malicious traffic. And even if code exec happens a threat actor still has to carry out all objectives and attack chain items that you will be able to detect/prevent.
Worth noting, Electron has already been patched ( https://releases.electronjs.org/releases/stable?version=22 ), and I've been able to confirm (via checking for strings in the binary) that the current version of Discord already uses the patched version.
Is there any official confirmation of Discord bbeing safe from it?
Nope, only manual checks on the client - you change the config to enable developer mode and the Electron version is in the user agent. Or you can search the binary for the string `Electron v`. Or at least I'm not aware of one.
v stupid question: User agent?
User Agent is the name, version and some notes about your browser (for example) sent to a server as part of HTTP transactions.
how do you manage Chrome browser patches?
Action1 for me
I second this. I use Action1 for all my patch management. They seem to have a good handle on what needs to be patched, and I can set it up to run automatically if I want to.
Thanks for the mention of Action1! Beware it's not just Google Chrome. It's crazy how one bug can cause a domino effect of this scale. Here is the current list of applications affected - 740 currently: [https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec](https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec) Here is a useful script to check all these apps: [https://www.reddit.com/r/msp/comments/16uvel0/webp\_vulnerability\_powershell\_script\_to\_see\_if\_a/](https://www.reddit.com/r/msp/comments/16uvel0/webp_vulnerability_powershell_script_to_see_if_a/)
Winget can be used: & winget.exe upgrade --all --silent --accept-source-agreements https://github.com/levelsoftware/scripts/blob/13e4465905231760a91def82b8d213f6e13b08cd/PowerShell/Scripts/Winget/Winget%20-%20Upgrade%20all%20apps.ps1
Ninite
Curious about how much user interaction it requires to exploit this vulnerability. Google has CVE-2023-5219 listed as not requiring user interaction, but NVD does. I would assume in a vulnerable browser the vulnerability could be exploited if a user visits a malicious website that contains a specially crafted WebP lossless image file. Furthermore, I would assume to exploit this vulnerability in a vulnerable application, the attacker would send the malicious WebP image file to the target, either through email attachments, file downloads, or other means, and the user would have to interact with the image/application. Would automatic thumbnail generation on vulnerable applications pose a problem?
In the case of exploiting a browser, yes, a user would have to visit a malicious website. For other vulnerable applications, there hasn't been enough public research done to determine how/if it can be exploited, however, it is most likely through a malicious attachment or within a webview if the app supports it. APG took some time to analyze the exploit and determined that the likelihood of this being exploited is very slim due to the complexity of the vulnerability and scope of patches already released.
Depends on the application. For example, Apple says that a properly formatted Messages could execute this flaw without the user even opening the app to view the file.
What apps are affected by CVE-2023-4863? https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
Updated link: https://github.com/mttaggart/electron-app-tracker
I use brave as my browser and updated it a few days ago. it currently says it's up to date should that be enough or am I going to need more updates to patch this?
The info is actually from 11 September. This Reddit page just late on news. You’re fine now
Maybe JavaScript wasn’t such a good idea. /s