LibWebP (CVE-2023-4863)

- 6 mins read

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications.

This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms.

A similar CVE ( 2023-5217) is pending analysis for the VP8 webstream video format (a sister library to libwep.)

As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications.

Patch Browsers, All of them

All major and minor browsers across all operating systems are effected. As the web is the most likely attack vector for a majority of individuals, this is the first and primary prevention/remediation task.

All downstream projects of major browsers including Chromium, IceWeasel, Brave, Opera, and their mobile versions should be patched across all operating systems.

Browsers should be one of the following versions or greater.

Configure NIDS/NIPS to strip WebP attachments

Using your network intrusion detection/prevention system, you may be able to strip webp attachments from mail and traffic as a temporary measure. This will insure that users within your control can not be attacked via watering hole or malvertising attacks.

This is a heavy handed approach but may serve as a significant stop-gap until appropriate patching can occur. As always, assess the impact to your business before proceeding.

Block Incoming WebP files from Email

Using your Email protection services, block or remove incoming attachments with a webp format.

To assess the impact to the business, a sample query for Microsoft’s Advanced Hunting product is provided below.

EmailAttachmentInfo |where FileName contains ".webp"

A simple Exchange Mail Flow rule can be enabled to prevent these messages from arriving in users mailboxes. These are preferable as mail flow rules can advise legitimate senders as to why their emails are being blocked.

1) Go to https://admin.exchange.microsoft.com/#/transportrules
2) + Add a Rule
3) Create a new rule
4) Assign Name
5) Apply this rule if The sender is external/internal
6) Select Sender Location Outside the organization
7) To the right of The sender is external/internal press the +
8) And any attachment file extension includes these words
9) specify words or phrases "webp"
10)Do the following: block the message reject and message and include an explanation
11) specify rejection reason
12) add exceptions as you need
13) Click Next
14) Set rule mode Enforce
15)click next
16) go back to https://admin.exchange.microsoft.com/#/transportrules
17) find your rule, click on it
18) Set Enable or disable rule to Enabled

Thanks Bradley!

Block Incoming WebP Files from Teams

Still under investigation, likely serviced by blocking OneDrive/Sharepoint files.

Block Incoming WebP files from Slack

Still under investigation, Slack using vulnerable Electron version.

Dis-associate webp files from opening with a browser on Windows.

Within the Intune or GPO settings, a default file association can be assigned. This can be set to Paint.exe or another non-browser application across the estate.

This helps to break up the attack chain in case a user does get a malicious .webp file sent within an ISO or ZIP file.

This is also a recommended mitigation for malicious .ps1 and other script file types.

Dis-associate webp files from opening with a browser on macOS.

Within JAMF , a default file association can be assigned. This can be set to a non-browser application across the estate.

This helps to break up the attack chain in case a user does get a malicious .webp file sent within an ISO, DMG, or ZIP file.

Ensure PaloAlto Wildfire rule (94394) is enabled

Palo was quick to get a rule out for this CVE. If you have the benefit of Wildfire in your environment, insure that rule 94394 is enabled.

Upgrade Teams

Teams is likely one of the most vulnerable applications, second to browsers. Microsoft relies on an extremely old version of Electron 19.1.8 for even their most recent versions of the legacy Teams client. As of publishing, Microsoft is currently still pushing the “new” legacy client with a vulnerable version of Electron.

Users should be encouraged to switch to the “New” Teams client which utilizes WebView2 instead of Electron.

This can be forced in the console

Upgrade VSCode

VSCode is also running a vulnerable version of Electron prior to 1.82.2

Users should be encouraged to restart the application to receive the most recent version.

Additionally users can click Help > Check for Updates to force an update of the application.

Upgrade OS packages for LibWebP

All libwebp packages prior to 1.3.2 should be replaced and upgraded across all major Operating Systems.

Upgrade other Electron apps as patches are released

Electron serves as a major web framework and wrapper for over 700 applications. Thanks to the work of a number of people, a running list of identified vulnerable apps with updates is available on Github

Additionally, Travis Baraki shared a great macOS detection one-liner from Tom Sellers for scanning for vulnerable Electron versions.

find /Applications -type f -name "*Electron Framework*" -exec \  sh -c "echo  \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \;

EDR Rule for webp write-to-disk

Using you EDR tool of choice, create a detection and alert for the writing of webp files to disk. This is easily accomplished in Crowdstrike Falcon and Microsoft’s Defender for Endpoint products as shown below.

Falcon:

FileName = "*.webp"
|table ComputerName, event_simpleName, FileName, FilePath

MDE:

DeviceFileEvents |where FileName contains ".webp" and FolderPath !contains "C:\\Windows" and FolderPath !contains "c: \\Program Files"

Thanks to @Tom Webb for the correction!

Update managed file shares to prevent webp upload/download

OneDrive, Egnyte, and other managed file share applications may have the opportunity to prevent or alert on webp.

For Egnyte, the Security and Compliance settings can be configured to report on the presence of webp files.

For OneDrive, Microsoft offers this solution

Review Code Dependencies

Docker introduced a great new tool using SNYK as a backend for their container scanning on Desktop.

If you’re not using a product like PrismaCloud or Crowdstrike Horizon for cloud workload protections, this can be a great option.

HowToGeek posted a great write-up on using the new built-in scanner on DockerDesktop.

An important caveat is that SNYK only allows 10 scans a month before requiring a SNYK login.