Chromium WebP Heap-Based Buffer Overflow Critical Vulnerability - 20230918001¶

Overview¶

The WA SOC has observed a critical vulnerability caused by WebP code library (libwebp) Heap buffer overflow which can allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. WebP is a modern image format that offers superior lossless and lossy compression for images on the web, developed by Google. So far the Web Browsers that have confirmed a fix and released an update include: Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, and Tor Browser. It affects any software that uses the libwebp library.

What is the vulnerability?¶

CVE-2023-4863 - CVSS v3 Base Score: N.A

What is vulnerable?¶

The vulnerability affects any software that uses the libwebp library;

Electron-based applications like Signal
Honeyview (from Bandisoft)

Web browsers like

Google Chrome versions before 116.0.5845.187
Mozilla Firefox versions before 117.0.1
Apple Mac and Linux verions before 116.0.5845.187
Microsoft Edge versions before 116.0.5845.187/.188 for Windows

What has been observed?¶

CISA added this vulnerabilty in their Known Exploited Vulnerabilties catalog on September 13 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation¶

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):