Looking for some help, my company might not be able to fully patch CVE-2023-4863 aka BLASTPASS for a few days. Does anyone know a way of detecting exploitation of this through Splunk? Can you see it in web server logs? Next-gen firewall? WAF? I’m not seeing much info online about how to detect the exploitation.

#libwebp #cve20234863 #blastpass #splunk #siem

MS claim #cve20234863 is patched in Teams 1.6.00.26474 but still with Electron 19.1.8. Does anyone know if this means it's only patched in 'new' mode (Webview2) or always?
#libwebp #msteams

Here's a non-exhaustive list of all the stuff I've seen people doing to mitigate #cve20234863 #libwebp

https://www.justinmcafee.com/2023/09/libwebp-cve-2023-4683.html

I did some digging and thought I would share for those who use MS Teams
Newest version released yesterday is 1.6.00.26463(macOS), 1.6.00.26474(Windows).
It uses Electron Version 19.1.8 (ancient and out of support for almost a year!!!)
Electron 19.1.8 uses Chromium 102.0.5005.167
Chromium 102.0.5005.167 uses libwebp 1.2.2
libwebp 1.2.2 is vulnerable to the lilbwebp 0-day, #CVE20234863
:dumpster_fire_gif:
Be careful who you let in a Teams meeting...

The #CVE-2023-5129 has been withdrawn. Now it is only the initial #CVE20234863 that is still valid, although with a somewhat lower rating (8.8).

#libwebp #webp

Good Morning, story so far on the next log4j level #vulnerability #CVE20234863 #CVE20235129
#0day #Chrome #iOS

• libwebp library is vulnerable to heap overflow and can lead to RCE.
• Apple assigned #CVE202341064 and #CVE202341061. Also actively exploited by #blastpass
• #Google assigned #CVE20235129 for Chrome 0day and also exploited
• Millions of apps and software use this library. See list sofar in 🧵
• #CVE20235129 was rejected by NVD earlier due to all this confusion of several vendors assigning CVEs affecting their products
• This will lead to vulnerability scanners not being able to correctly identify if your assets are affected with libwebp. #infosec #sectoot

Analysis of WebP Zero-Day Vulnerability (CVE-2023-4863)

1. Introduction:

   • The WebP zero-day vulnerability, identified as CVE-2023-4863, was discovered by Apple's Security Engineering and Architecture (SEAR) team and was reported to Google. The vulnerability was a heap buffer overflow in the WebP image library, which was being exploited in the wild.

2. Technical Analysis:

   • The vulnerability resided in the "lossless compression" support for WebP, also known as VP8L. The issue was within the Huffman coding algorithm used by WebP for lossless compression.
   • The vulnerable code was found to overflow the Huffman table when decoding an untrusted image due to incorrect memory allocations based on pre-calculated buffer sizes from a fixed table.
   • The patch fixed the issue by performing a "first pass" construction to calculate the total size required for the Huffman table before actual construction, thereby preventing the overflow.

3. Exploit Analysis:

   • A proof-of-concept (PoC) was developed to replicate the bug, demonstrating a heap-buffer-overflow. The PoC utilized crafted Huffman coding data to trigger the overflow.
   • The exploitation required constructing a sequence of four valid Huffman tables followed by a specific type of invalid Huffman table to trigger the overflow.
   • The overflow could lead to out-of-bounds write, which was deemed exploitable.

4. Mitigation:

   • The patch provided by Google addressed the issue by denying the inputs that would cause a heap overflow, effectively mitigating the vulnerability.

5. Fuzzing Challenges:

   • Post mitigation, a discussion arose regarding the effectiveness of fuzzing in discovering such vulnerabilities. The complexity and fragility of the format made it a challenging task for fuzzers to identify this specific vulnerability.
   • A new fuzzer was released by Google specifically for the Huffman routines in WebP to enhance the fuzzing process.

6. Conclusion:

   • The WebP 0day (CVE-2023-4863) showcased the intricacies and challenges in identifying and mitigating vulnerabilities in complex file format libraries. The analysis also highlighted the importance of effective fuzzing techniques to uncover such vulnerabilities in the future.

Source: https://blog.isosceles.com/the-webp-0day/

#WebP #zeroday #CVE20234863

"Google's Silent Amendment: A Tale of a Critical WebP Vulnerability 🕷️"

Google has discreetly updated a prior disclosure concerning a critical code-execution vulnerability, initially underplayed as affecting only Chrome, but now revealed to impact thousands of apps and software frameworks. The culprit is the libwebp code library, created by Google for rendering WebP images, which is embedded in numerous apps, operating systems, and code libraries, notably the Electron framework. The vulnerability, initially tagged as CVE-2023-4863, was reclassified as CVE-2023-5129 with a severity rating escalated to a perfect 10. The flaw could allow attackers to execute malicious code merely by tricking users into viewing a corrupted WebP image. It's a stark reminder to ensure your apps, especially those running on Electron versions v22.3.24, v24.8.3, or v25.8.1, are updated to dodge this bullet. 🛡️

Source: Ars Technica by Dan Goodin. Follow him on Twitter.

Tags: #Google #WebPVulnerability #CVE20234863 #CVE20235129 #CyberSecurity #CodeExecution #ElectronFramework #SoftwareVulnerability #InfoSec

@campuscodi This article claims that it is a new CVE for the same vulnerability, to clarify scope?

https://stackdiary.com/heap-buffer-overflow-in-libwebp-cve-2023-5129/

But this seclists thread seems to say that CVE-2023-5129 is associated with libwebp commits that are different from the fixes associated with CVE-2023-4863 [Edit: but these are described by the issuer as cleanups]:

https://seclists.org/oss-sec/2023/q3/230

The seclists poster is reaching out to double-check whether it's new. Solar Designer's assessment is that it's probably the same (but that the cleanups in the code should be examined anyway):

https://seclists.org/oss-sec/2023/q3/236

#CVE20235129 #CVE20234863 #CVE_2023_4863 ##CVE_2023_5129 #libwebp

Google assigns a CVE for libwebp and gives it a 10.0 score

https://stackdiary.com/heap-buffer-overflow-in-libwebp-cve-2023-5129/

#security #webp #libwebp #cve20235129 #cve20234863

@Perl Here is a find + #Perl command for #macOS that will check which installed #Electron-based applications have not yet been updated against this month's #libwebp #CVE20234863 #security vulnerability: https://social.sdf.org/@mjgardner/111126922716051872

Other apps may be vulnerable, this just checks the Electron ones!

It uses the built-in https://perldoc.perl.org/version API for parsing and comparing version numbers.

@t_slider @TomSellers @dangoodin The output lists all apps using #Electron regardless of their vulnerability. Here is an expanded command that only lists Electron apps that have not been updated against the #CVE20234863 #libwebp vulnerability: https://social.sdf.org/@mjgardner/111126922716051872

I agree that the number of apps using Electron is alarming in itself, though.

⚠️ glTF Transform v3.7.0 was just published, including upstream fixes to libwebp. If you're processing glTF 3D models or textures from untrusted sources, this is a critical update.

Thanks to @lovell for bringing the fixes in from libwebp to sharp.js so quickly.

https://gltf-transform.dev/

#CVE20234863 #libwebp #webp #security #threejs #webgl #gltf #gamedev

Update Firefox and Thunderbird #Vulnerability #security #firefox #thunderbird #CVE20234863
https://www.howtogeek.com/mozilla-firefox-thunderbird-security-flaw-2023/

The #WebP buffer overflow bug that caused all the major browsers to issue patches earlier this week (e.g. #Firefox 117.0.1) also affects applications built with Electron. #1Password issued an update today for their Mac build.

The CVE affects the underlying webp library, not just web browsers, so this will be an ongoing issue.

#CVE20234863

"Who uses #libwebp?
"There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: #Affinity (the design software), #Gimp, Inkscape [not according to Martin Owens, see comment below], #LibreOffice, #Telegram, #Thunderbird (now patched), #ffmpeg, and many, many #Android applications as well as cross-platform apps built with #Flutter."

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

#IceCat browser users go update ASAP!!!

If you are unable to update ASAP, I imagine that disabling "image.webp.enabled" in about:config could in theory assist in avoiding this exploit being executed? However, please take that solely as a theory and not concrete evidence.

Perhaps someone following one of these tags could advise better.
#Mozilla #Firefox #Security #NetSec #cve20234863 #libwebp #webp

https://www.bleepingcomputer.com/news/security/mozilla-patches-firefox-thunderbird-against-zero-day-exploited-in-attacks/