Analysts said Wednesday that security teams should prioritize remediating the vulnerability involving a heap buffer overflow in the libwebp (WebP) library that Google identified on Monday.
The vulnerability — CVE-2023-5129 — was given a critical 10.0 CVSS score by Google and a high-severity 8.8 score by NIST.
While the reason for the score discrepancy was not immediately clear, security pros said the flaw could lead to out-of-bounds memory writes that could let attackers execute arbitrary code using maliciously crafted HTML pages.
“This vulnerability had the potential to impact a broad range of major browsers and applications, which could also contribute to its maximum severity rating by Google,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Additionally, it was reported to be actively exploited in the wild, further justifying a high CVSS score. As for the discrepancy in the scores, the perspectives of the two entities could vary, with Google viewing the vulnerability through the lens of an affected vendor, and NIST acting as a third-party evaluator.”
WebP is a modern image format that delivers superior lossless and lossy compression for images on the web. Using WebP, webmasters and web developers can create smaller, richer images that make the web faster.
Link between WebP vulnerability, Pegasus spyware speculative for now
News of this week’s development with WebP comes after Apple, Google, and Mozilla released fixes to contain a bug — tracked separately as CVE-2023-41064 and CVE-2023-4863 — that could cause arbitrary code execution when processing specially crafted images.
Citizen Lab has reported that CVE-2023-41064 could have been chained with CVE-2023-41061 as part of a zero-click iMessage exploit chain named BLASTPASS that deployed the Pegasus spyware.
Critical Start’s Guenther pointed out that while all these indicators and reports can offer context and suggest a possible connection, conclusive attribution in cybersecurity is challenging and typically requires in-depth analysis and corroborating evidence. Therefore, until further investigation and concrete evidence are presented, Guenther said any connection between this new vulnerability and Pegasus remains speculative.
“Regardless of origin, once a vulnerability is publicly known like this one, then we're on borrowed time until payload generators are easier to find,” said Melissa Bischoping, director, endpoint security research at Tanium.
Bischoping added that some proof-of-concept code already exists, although it isn't weaponized. But even if security teams are not concerned about the threat group reported to be leveraging the vulnerability, they should prioritize identification and remediation planning, because other groups can adopt and weaponize vulnerabilities like this quickly.
“The nature of modern software is that many unique products may use shared, third-party libraries in their final product,” explained Bischoping. “This in turn means that a vulnerability in a third-party library is different — and more concerning — than a vulnerability in code only used in the final product itself. There needs to be some level of responsible disclosure and coordination when vulnerabilities are discovered within those shared libraries, as it could impact thousands of applications, rather than just one or two.”