Vulnerability in popular ‘libwebp’ code more widespread than expected

Cybersecurity experts are warning that the scope of a previously disclosed vulnerability affecting a variety of web applications is wider than what was originally announced.

The vulnerability — first tracked as CVE-2023-4863 — was disclosed by Google last week as a vulnerability affecting its Chrome browser. Other browsers began to release notices about the issue before researchers dug deeper into it and sourced the vulnerability back to the open-source libwebp library.

The library — which provides code for rendering images in the WebP format — is used by multiple browsers and image editors, including Chrome, Mozilla's Firefox and Microsoft Edge.

This week, Google gave the issue a new number — CVE-2023-5129 — and marked the vulnerability with the highest CVSS severity rating, 10 out of 10. Google did not respond to requests for comment about the issue.

Software supply-chain security researchers at Rezilion last week had said the vulnerability’s scope is “much wider than initially assumed, affecting millions of different applications worldwide.”

“Vulnerability scanners will not necessarily provide a reliable indication of the presence of this vulnerability, due to being wrongly scoped as a Chrome issue,” researchers from the company said.

The vulnerable library was “found in several popular container images’ latest versions, collectively downloaded and deployed billions of times, such as Nginx, Python, Joomla, WordPress, Node.js, and more.”

The bug was discovered by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto, according to Mozilla. The Cybersecurity and Infrastructure Security Agency (CISA) warned of the vulnerability separately and said it was under active exploitation by unnamed threat actors.

According to Rezilion, researchers reported the issue to Google and Apple separately, and both companies believed it affected different products. But both use libwebp, and Rezilion said the main concern is that vulnerability scanners will only flag the issue for these specific products, creating a “huge blindspot for organizations blindly relying on the output of their vulnerability scanner.”

Yotam Perkal, head of research at Rezilion, told Recorded Future News that it was likely an honest mistake.

“It is possible that they assumed that the vulnerability is only applicable in the context of Google Chrome,” Perkal said.

“But once such a mistake is made the consequences are significant as it creates a blind spot for vulnerability scanners.”

Rezilion added that it is “highly likely that the underlying issue in the libwebp library is the same issue resulting in CVE-2023-41064 used by threat actors as part of the BLASTPASS exploit chain to deploy the NSO Group’s Pegasus spyware on target mobile devices.” That bug also was reported by the Citizen Lab in early September.

Coping with a mis-scoping

Critical Start cybersecurity expert Callie Guenther said the vulnerability poses significant risks due to its high severity and the potential for remote code execution.

“What's particularly alarming is the broad attack surface this vulnerability presents. Beyond its initial identification within Google Chrome, it affects a myriad of Linux applications and widely-used container images,” Guenther said.

“The initial mis-scoping of CVE-2023-4863, tied solely to Google Chrome and Apple's ImageIO framework, underscores the importance of both human expertise and advanced tools in vulnerability detection. Sole reliance on automated vulnerability scanners may not always yield comprehensive insights, and human analysis remains invaluable in connecting the dots.”

More than ever, organizations have to rigorously inventory their software assets to ensure the comprehensive mitigation of such vulnerabilities, Guenther added.

Colin Little at cybersecurity firm Centripetal explained that the issue is the latest case of a high-risk vulnerability affecting an obscure functionality used in many popular web applications. It’s a “monumental challenge” for security teams to track down, and it’s “very reminiscent of Log4j,” the logging software with a flaw that prompted a global, multi-government remediation effort last year, he said.

“It makes me wonder what other vulnerabilities are lingering in the core of critical Internet infrastructure that are still unknown,” Little said. “This one functionality has an unbelievably wide adoption in this core — web applications, security and operations applications, and web browsing applications — all of which users around the world utilize for personal and professional use every day.”

Little argued that these events are proof that there needs to be a watchdog of sorts monitoring tools for which there is a very heavy cross-application dependency, and for which a critical vulnerability would have a worldwide impact.

Two weeks ago, the White House coordinated a meeting of about 90 government officials and private sector executives to draft a new, long-term plan for securing publicly available open source code and CISA released its long-awaited roadmap for open-source software security.

Chris Wysopal, an expert on open source software security and founder of Veracode, said the large number of high-quality open source projects has allowed organizations to build more custom applications — and become more dependent on open source software — than ever before.

“We have found that 79% of developers never update third-party libraries after including them in the codebase. This is despite the fact that 92% of open source library flaws can be fixed with an update, and 69% of fixes are minor and won’t break the functionality of even the most complex software applications,” he said.

Several other cybersecurity experts, like Tanium’s Melissa Bischoping, said there should be a different level of responsible disclosure and coordination when vulnerabilities are discovered within shared libraries due to its potential impact on thousands of applications, rather than just one or two.

Multiple people said the recent incident underscores the government-backed push for software bills of materials (SBOMs), which will help organizations better understand what tools the software they use relies on.