Original Post: Resolving Webp Zero-day Vulnerability CVE-2023-4863
The content describes a critical vulnerability in the WebP image library, leading to a Heap Buffer Overflow. Discovered during a spyware campaign by the NSO group affecting Apple devices, the vulnerability’s root is in the WebP library, used in applications like Google Chrome and the Electron Framework. Detection methods involve using Veracode’s Software Composition Analysis (SCA) and Container Security scanners. Remediation involves updating to patched versions or applying the latest patches if compiling from source.
The document outlines two main options for detecting and remediating the vulnerability:
1. Using Veracode SCA scanners to detect instances of the WebP library in applications.
2. Scanning container images or file systems for the vulnerable library and updating accordingly.
An example highlights scans using the Veracode SCA agent on various libraries, and emphasizes updating to fixed versions to mitigate risks. It also discusses an alternative method to test for the vulnerability, noting that a full proof-of-concept (POC) exploit is not public, though a Denial-of-Service example exists.
The impact on organizations is significant due to WebP’s integration in many applications like web browsers and frameworks (e.g., Electron). The history of the WebP vulnerability is detailed, clarifying its disclosure process through multiple CVEs and the confusion arising from varying descriptions and severity scores.
Lastly, the document references Citizen Lab’s report on the “BLASTPASS” zero-click campaign involving NSO’s spyware, highlighting the threat’s severity when a crafted WebP file in an iMessage led to code execution without user interaction. This vulnerability traces back to a 2010 commit improving lossless Huffman encoding in WebP.
In summary, the text emphasizes the critical nature of the WebP vulnerability, the necessity for detection and timely remediation, and its impact on commonly used software.
Go here to read the Original Post