Skip to main content

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications.

This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms.

A similar CVE (2023-5217) is pending analysis for the VP8 webstream video format (a sister library to libwep.)

As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications.

Patch Browsers, All of them

All major and minor browsers across all operating systems are effected. As the web is the most likely attack vector for a majority of individuals, this is the first and primary prevention/remediation task.

All downstream projects of major browsers including Chromium, IceWeasel, Brave, Opera, and their mobile versions should be patched across all operating systems.

Browsers should be one of the following versions or greater.

Configure NIDS/NIPS to strip WebP attachments

Using your network intrusion detection/prevention system, you may be able to strip webp attachments from mail and traffic as a temporary measure. This will insure that users within your control can not be attacked via watering hole or malvertising attacks.
This is a heavy handed approach but may serve as a significant stop-gap until appropriate patching can occur. As always, assess the impact to your business before proceeding.

Block Incoming WebP files from Email

Using your Email protection services, block or remove incoming attachments with a webp format.

To assess the impact to the business, a sample query for Microsoft’s Advanced Hunting product is provided below.
EmailAttachmentInfo |where FileName contains ".webp"

A simple Exchange Mail Flow rule can be enabled to prevent these messages from arriving in users mailboxes. These are preferable as mail flow rules can advise legitimate senders as to why their emails are being blocked.

1) Go to https://admin.exchange.microsoft.com/#/transportrules
2) + Add a Rule
3) Create a new rule
4) Assign Name
5) Apply this rule if The sender is external/internal
6) Select Sender Location Outside the organization
7) To the right of The sender is external/internal press the +
8) And any attachment file extension includes these words
9) specify words or phrases "webp"
10)Do the following: block the message reject and message and include an explanation
11) specify rejection reason
12) add exceptions as you need
13) Click Next
14) Set rule mode Enforce
15)click next
16) go back to https://admin.exchange.microsoft.com/#/transportrules 
17) find your rule, click on it
18) Set Enable or disable rule to Enabled

Thanks Bradley!

Block Incoming WebP Files from Teams

Still under investigation, likely serviced by blocking OneDrive/Sharepoint files.

Block Incoming WebP files from Slack

Still under investigation, Slack using vulnerable Electron version.

Dis-associate webp files from opening with a browser on Windows.

Within the Intune or GPO settings, a default file association can be assigned. This can be set to Paint.exe or another non-browser application across the estate.

This helps to break up the attack chain in case a user does get a malicious .webp file sent within an ISO or ZIP file.

This is also a recommended mitigation for malicious .ps1 and other script file types.

Dis-associate webp files from opening with a browser on macOS.

Within JAMF , a default file association can be assigned. This can be set to a non-browser application across the estate.

This helps to break up the attack chain in case a user does get a malicious .webp file sent within an ISO, DMG, or ZIP file.

Ensure PaloAlto Wildfire rule (94394) is enabled

Palo was quick to get a rule out for this CVE. If you have the benefit of Wildfire in your environment, insure that rule 94394 is enabled.

Upgrade Teams

Teams is likely one of the most vulnerable applications, second to browsers. Microsoft relies on an extremely old version of Electron 19.1.8 for even their most recent versions of the legacy Teams client. As of publishing, Microsoft is currently still pushing the “new” legacy client with a vulnerable version of Electron.

Users should be encouraged to switch to the “New” Teams client which utilizes WebView2 instead of Electron.

This can be forced in the console

Upgrade VSCode

VSCode is also running a vulnerable version of Electron prior to 1.82.2

Users should be encouraged to restart the application to receive the most recent version.
Additionally users can click Help > Check for Updates to force an update of the application.

Upgrade OS packages for LibWebP

All libwebp packages prior to 1.3.2 should be replaced and upgraded across all major Operating Systems.

Upgrade other Electron apps as patches are released

Electron serves as a major web framework and wrapper for over 700 applications. Thanks to the work of a number of people, a running list of identified vulnerable apps with updates is available on Github

Additionally, Travis Baraki shared a great macOS detection one-liner from Tom Sellers for scanning for vulnerable Electron versions.

find /Applications -type f -name "*Electron Framework*" -exec \  sh -c "echo  \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \;

EDR Rule for webp write-to-disk

Using you EDR tool of choice, create a detection and alert for the writing of webp files to disk. This is easily accomplished in Crowdstrike Falcon and Microsoft’s Defender for Endpoint products as shown below.

Falcon:

FileName = "*.webp"
|table ComputerName, event_simpleName, FileName, FilePath

MDE:

DeviceFileEvents
|where FileName contains ".webp" and FolderPath !contains "C:\\Windows" and FolderPath !contains "c: \\Program Files"

Thanks to @Tom Webb for the correction! 

Update managed file shares to prevent webp upload/download

OneDrive, Egnyte, and other managed file share applications may have the opportunity to prevent or alert on webp.

For Egnyte, the Security and Compliance settings can be configured to report on the presence of webp files.

For OneDrive, Microsoft offers this solution

Review Code Dependencies

Docker introduced a great new tool using SNYK as a backend for their container scanning on Desktop.

If you’re not using a product like PrismaCloud or Crowdstrike Horizon for cloud workload protections, this can be a great option.

HowToGeek posted a great write-up on using the new built-in scanner on DockerDesktop.

An important caveat is that SNYK only allows 10 scans a month before requiring a SNYK login.

Popular posts from this blog

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.

Malicious OneNote

Anatomy of a Malicious Email Attachment With Microsoft’s recent changes to macros within the Office and M365 suite, Threat Actors have changed their TTPs to utilize the OneNote (.one) file type for Malicious Code Delivery TL;DR (.one) files are a binary blob capable of embedding any file type. Threat actors are utilizing the prolific nature of OneNote to execute malicious code on endpoints. Block (.one) files from incoming email and dissociate commonly abused file extensions. The Problem Microsoft recently modified the way legacy Office applications and M365 applications handle macros within documents. With the restrictions on macros tightening, threat actors have been forced to find new techniques to deliver malicious code to the endpoint. The Attackers Solution Microsoft’s OneNote application has two great benefits to an attacker. It’s present anywhere M365 is being used and the application saves files in binary blobs with no limit on file contents. By targeting the OneNote ap

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open infosec.exchange , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza