Google LibWebP code execution vulnerability

On the 25^th of September, Google published CVE-2023-5217 describing a vulnerability in LibWebP. Earlier in September Apple and Google respectively published CVE-2023-4863 and CVE-2023-41064 describing the same problem in the library. CVE-2023-5217 is considered a duplicate of CVE-2023-4863 and had a CVSS score assigned of 10, which is considered (too) high. CVE-2023-5217 was rejected as a duplicate on the 27^th of September.

LibWebP is a library maintained by Google and is used for image processing. The vulnerability can lead to arbitrary code execution on the system, but the abilities for exploitation and the impact depend on how the library is used by the application.

Exploitation of the vulnerable library has been detected for the implementation in Apple products and the Google Chrome browser. It is advised to create an overview of software using the vulnerable LibWebP library and apply patches when available.

The vulnerability CVE-2023-5217 has a CVSS score of 10. This vulnerability is considered a duplicate of CVE-2023-4863 and the CVSS score is disputed. The CVSS scale runs from 0 to 10.

A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The vulnerabilities registered as CVE-2023-5217, CVE-2023-4863 and CVE-2023-41064 can allow an attacker to execute code on the system running the LibWebP library. The ability and impact of exploitation of the vulnerability depends on how the library is used.

Exploits of CVE-2023-4863 in the Google Chrome browser and CVE-2023-41064 in Apple products have been observed in the wild. Both vendors have released software updates mitigating the vulnerability.

Vulnerability CVE-2023-4863 in the Google Chrome browser exists in the following versions:

• versions prior to 116.0.5845.187 and LibWebP 1.3.2.

The advice is to upgrade to Google Chrome browser version 116.0.5845.187 or later.

Vulnerability CVE-2023-41064 which exists in several Apple products affects the following products and versions:

• iOS prior to 15.7.9
• iOS prior to 16.6.1
• iPadOS prior to 15.7.9
• iPadOS prior to 16.6.1
• macOS Big Sur prior to 11.7.10
• macOS Monterey prior to 12.6.9
• macOS Ventura prior to 13.5.2

Apple has released software updates; the advice is to upgrade to at least the fixed versions.

For other applications it is advised to create an overview of software using the LibWebP vulnerability and apply patches when available.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

More information:

• NCSC Advisory CVE-2023-4863
• NCSC Advisory CVE-2023-5217