LibWebP (CVE-2023-4863)
Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications.
This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms.
A similar CVE ( 2023-5217) is pending analysis for the VP8 webstream video format (a sister library to libwep.)
As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications.
Patch Browsers, All of them
All major and minor browsers across all operating systems are effected. As the web is the most likely attack vector for a majority of individuals, this is the first and primary prevention/remediation task.
All downstream projects of major browsers including Chromium, IceWeasel, Brave, Opera, and their mobile versions should be patched across all operating systems.
Browsers should be one of the following versions or greater.
- Google Chrome 116.0.5845.187
- Edge 109.0.1518.140
- Firefox versions
- Firefox 117.0.1
- Firefox ESR 102.15.1
- Firefox ESR 115.2.1
- Thunderbird 102.15.1
- Thunderbird 115.2.2
- Safari 16.6.1
Configure NIDS/NIPS to strip WebP attachments
Using your network intrusion detection/prevention system, you may be able to strip webp attachments from mail and traffic as a temporary measure. This will insure that users within your control can not be attacked via watering hole or malvertising attacks.
This is a heavy handed approach but may serve as a significant stop-gap until appropriate patching can occur. As always, assess the impact to your business before proceeding.
Block Incoming WebP files from Email
Using your Email protection services, block or remove incoming attachments with a webp format.
To assess the impact to the business, a sample query for Microsoft’s Advanced Hunting product is provided below.
EmailAttachmentInfo |where FileName contains ".webp"
A simple Exchange Mail Flow rule can be enabled to prevent these messages from arriving in users mailboxes. These are preferable as mail flow rules can advise legitimate senders as to why their emails are being blocked.
1) Go to https://admin.exchange.microsoft.com/#/transportrules
2) + Add a Rule
3) Create a new rule
4) Assign Name
5) Apply this rule if The sender is external/internal
6) Select Sender Location Outside the organization
7) To the right of The sender is external/internal press the +
8) And any attachment file extension includes these words
9) specify words or phrases "webp"
10)Do the following: block the message reject and message and include an explanation
11) specify rejection reason
12) add exceptions as you need
13) Click Next
14) Set rule mode Enforce
15)click next
16) go back to https://admin.exchange.microsoft.com/#/transportrules
17) find your rule, click on it
18) Set Enable or disable rule to Enabled
Thanks Bradley!
Block Incoming WebP Files from Teams
Still under investigation, likely serviced by blocking OneDrive/Sharepoint files.
Block Incoming WebP files from Slack
Still under investigation, Slack using vulnerable Electron version.
Dis-associate webp files from opening with a browser on Windows.
Within the Intune or GPO settings, a default file association can be assigned. This can be set to Paint.exe or another non-browser application across the estate.
This helps to break up the attack chain in case a user does get a malicious .webp file sent within an ISO or ZIP file.
This is also a recommended mitigation for malicious .ps1 and other script file types.
Dis-associate webp files from opening with a browser on macOS.
Within JAMF , a default file association can be assigned. This can be set to a non-browser application across the estate.
This helps to break up the attack chain in case a user does get a malicious .webp file sent within an ISO, DMG, or ZIP file.
Ensure PaloAlto Wildfire rule (94394) is enabled
Palo was quick to get a rule out for this CVE. If you have the benefit of Wildfire in your environment, insure that rule 94394 is enabled.
Upgrade Teams
Teams is likely one of the most vulnerable applications, second to browsers. Microsoft relies on an extremely old version of Electron 19.1.8 for even their most recent versions of the legacy Teams client. As of publishing, Microsoft is currently still pushing the “new” legacy client with a vulnerable version of Electron.
Users should be encouraged to switch to the “New” Teams client which utilizes WebView2 instead of Electron.
This can be forced in the console
Upgrade VSCode
VSCode is also running a vulnerable version of Electron prior to 1.82.2
Users should be encouraged to restart the application to receive the most recent version.
Additionally users can click Help > Check for Updates
to force an update of the application.
Upgrade OS packages for LibWebP
All libwebp packages prior to 1.3.2 should be replaced and upgraded across all major Operating Systems.
Upgrade other Electron apps as patches are released
Electron serves as a major web framework and wrapper for over 700 applications. Thanks to the work of a number of people, a running list of identified vulnerable apps with updates is available on Github
Additionally, Travis Baraki shared a great macOS detection one-liner from Tom Sellers for scanning for vulnerable Electron versions.
find /Applications -type f -name "*Electron Framework*" -exec \ sh -c "echo \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \;
EDR Rule for webp write-to-disk
Using you EDR tool of choice, create a detection and alert for the writing of webp files to disk. This is easily accomplished in Crowdstrike Falcon and Microsoft’s Defender for Endpoint products as shown below.
Falcon:
FileName = "*.webp"
|table ComputerName, event_simpleName, FileName, FilePath
MDE:
DeviceFileEvents |where FileName contains ".webp" and FolderPath !contains "C:\\Windows" and FolderPath !contains "c: \\Program Files"
Thanks to @Tom Webb for the correction!
Update managed file shares to prevent webp upload/download
OneDrive, Egnyte, and other managed file share applications may have the opportunity to prevent or alert on webp.
For Egnyte, the Security and Compliance settings can be configured to report on the presence of webp files.
For OneDrive, Microsoft offers this solution
Review Code Dependencies
Docker introduced a great new tool using SNYK as a backend for their container scanning on Desktop.
If you’re not using a product like PrismaCloud or Crowdstrike Horizon for cloud workload protections, this can be a great option.
HowToGeek posted a great write-up on using the new built-in scanner on DockerDesktop.
An important caveat is that SNYK only allows 10 scans a month before requiring a SNYK login.