Caitlin CondonFeb 4, 2024

It's been a few months since last year's #libwebp 0day (#CVE_2023_4863) came out, and I'm curious about whether the alarm has ratcheted down. It kinda seemed like this was potentially a pretty bad vuln if you're a political dissident using Electron apps to organize against oppressive governments, but probably not a super dangerous situation for most corporate networks (with basically no chance of broad automated exploitation). But as I think @TomSellers pointed out early on, the tail of apps that use the vulnerable library was always going to be long, and that usually means it's hard to track just how many are/were exploitable out of the box, and that it could be years before high-impact (remote) attack vectors are identified and fixed.

This is a fantastic overview: https://blog.isosceles.com/the-webp-0day/

The WebP 0day

Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google

Isosceles Blog
deltatux Oct 3, 2023
Looks like Microsoft has released patches against CVE-2023-4863 and CVE-2023-5217 vulnerabilities for Microsoft Edge, Teams and Skype. The patches revolve around the vulnerable libvpx & libwebp open source libraries used by these products. Update now!

https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fixes-for-zero-days-in-open-source-libraries/

#infosec #cybersecurity #Microsoft #Edge #Skype #MSTeams #patchnow #CVE_2023_4863 #CVE_2023_5217
Microsoft Edge, Teams get fixes for zero-days in open-source libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products.

BleepingComputer
Taggart Oct 3, 2023
IT IS DONE.

The new Electron App Tracker is now tracking #CVE_2023_4863 and #CVE_2023_5217, and has the capability to track future vulnerabilities.

The code deeply scrapes repositories looking for package.json files, and we've already picked up some new patches!

Get the data here, in both CSV and JSON format for your convenience. https://github.com/mttaggart/electron-app-tracker
GitHub - mttaggart/electron-app-tracker

Contribute to mttaggart/electron-app-tracker development by creating an account on GitHub.

GitHub
Taggart Oct 3, 2023
Microsoft says they've patched #Teams, among others, for #CVE_2023_4863 and #CVE_2023_5217, but that doesn't track with their published Update History. Or at least, it's unclear how the patch was applied. I guess not with a patched Electron version!
Microsoft’s Response to Open-Source Vulnerabilities - CVE-2023-4863 and CVE-2023-5217 | MSRC Blog | Microsoft Security Response Center

Microsoft’s Response to Open-Source Vulnerabilities - CVE-2023-4863 and CVE-2023-5217

Taggart Oct 2, 2023
Working on an update to the #CVE_2023_4863 tracker that

- Searches repo subdirs for package.json
- Automatically updates the CSV List
- Dates access for clarity
- Tracks #CVE_2023_5217 as well
- Creates both CSV and JSON

It's time to hold Electron apps accountable. The architecture of this will allow it to track further CVEs as appropriate.
iam-py-testSep 30, 2023

Warning to #kiwibrowser users: You *may* be vulnerable to #CVE_2023_4863

Source: https://github.com/kiwibrowser/src.next/issues/989

CVE-2023-4863 · Issue #989 · kiwibrowser/src.next

Per CVE-2023-4863 , "Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page." Is Kiwi Brows...

GitHub
Taggart Sep 29, 2023
I've updated the #CVE_2023_4863 Google Sheet to allow anyone to comment (gulp). That way, if you know of a version that is missing or has changed, you can take action!

https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit#gid=1774064991

Comments are of course also enabled on the Gist version:

https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
CVE-2023-4863 Tracker - Google Drive

Taggart Sep 29, 2023
So Discord is having a meltdown this morning.

In addition to earlier API trubz, now it appears that desktop clients are showing "blocked" by Cloudflare.

Updated desktop Electron app and Chromium browsers don't appear to work, but Firefox does.

Is this a weird #CVE_2023_4863 mitigation attempt?
Taggart Sep 27, 2023
Okay, a continually-updated list of Electron apps and their Electron versions, and whether they're vulnerable to #CVE_2023_5129, aka #CVE_2023_4863.

https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit?usp=sharing


And for those of you who refuse to click on Google links: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
CVE-2023-5129 Tracker - Google Drive

Taggart Sep 27, 2023

For those tracking CVE-2023-5129 CVE-2023-4863, aka the #Libwebp fiasco, here's how to validate if your Electron app is vulnerable.

The patched version of Electron is v26.2.1. To confirm what version of Electron your app is using, you need to run strings against the executable. The version is in the app's User-Agent, so:

strings app.exe | grep "Electron/"
Will do the trick. The attached image shows this method for Teams, which tracks with their published version listings.

I'd love it if folks who try this with updated apps post their results as replies here, so we can collect this #ThreatIntel.

Edited to add that backports also are patched: 22.3.24, 24.8.3, and 25.8.1.

#CVE_2023_4863 #InfoSec #CyberSecurity

Electron Releases