Bug on circuit board showing libwebp security vulnerability

Documented libwebp Security Vulnerability Looks to Be Part of Pegasus BLASTPASS Attack Chain

A security vulnerability that was initially documented as a Chrome bug is likely part of the attack chain employed by NSO Group’s Pegasus spyware, and has been revised as a libwebp flaw in a new CVE ID filed by Google.

Tracked as CVE-2023-4863, the issue was initially reported as a Chrome bug on September 6 (and patched by Google on September 12) before the assessment was revised on October 1. The flaw is a heap buffer overflow in libwebp in Chrome prior to version 116.0.5845.187 and libwebp version 1.3.2 that allows an arbitrary memory write via a malicious HTML page. libwebp, a library used in Chrome to encode and decode images in WebP format, was not cited in the original filing.

Chrome’s libwebp exploited by commercial spyware

The initial September 6 security vulnerability report was disclosed by Apple’s Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto’s Munk School. Citizen Lab has been a longtime watchdog of NSO Group’s Pegasus, the commercial spyware that has raised controversy with a series of zero-click exploits in recent years (and sales to a number of different authoritarian governments that employed it for questionable purposes).

The flaw appears to be in the Huffman coding algorithm that libwebp employs for lossless compression. Introduced by Google in 2010, the WEBP file format is intended as a lower-impact replacement for the likes of GIF and JPG image files in web browsers. The format has raised some hackles as it is generally not supported by image display and editing software (such as Photoshop), causing consternation when users unwittingly download one for offline use, but also offers a robust feature set at a reduced size.

The reclassification is important as it clarifies that this security vulnerability could be exploited in other web browsers and pieces of software that support WEBP. Most of the major web browsers have now added support for libwebp along with certain apps such as Signal and 1Password. An attack could take place from nothing more than viewing a WEBP file on a malicious page in one of these apps or browsers.

Security vulnerability part of BLASTPASS attack chain

Citizen Lab’s early September report on the new Pegasus spyware appears to have prompted the initial disclosure of the security vulnerability, though libwebp had not yet been identified as a component at the time. BLASTPASS is a new zero-click method deployed by the NSO Group software that exploits iMessage and allows takeover of a target phone without the user having to interact with the malicious message in any way. That vulnerability is thought to impact all versions of iOS up to 16.6. BLASTPASS was discovered on the phones of several staffers at NGOs based in Washington DC.

This security vulnerability may be a persistent issue for some time, as browsers and apps that use libwebp may have to issue their own individual updates to prevent users from being compromised by malicious WEBP files. However, it is unclear exactly how far one can get with just this vulnerability on its own. As mentioned by security researchers, BLASTPASS relies on a chain of techniques to compromise iPhones rather than just this one. Remote code execution is at least theoretically possible, but it is also possible that a hacker wielding just this attack might be limited to denial of service attempts. It also appears that the WEBP must be in an HTML file that is maliciously crafted in a particular way; simply sending image files to targets or posting them to online platforms does not appear to be a viable approach.

At first blush, the libwebp security vulnerability at least somewhat resembles the infamous Log4J vulnerability that emerged in late 2021 in that there are potentially millions of impacted applications out there and most will need to be patched individually to address the problem.

However, it is not clear that this vulnerability is as readily exploitable. Nevertheless, users of anything that might open WEBP files should look for recent security updates that address the issue. Primarily this means nearly every major web browser, but also various office tools and messaging apps. It is also thought to impact a variety of Linux distributions and video game engines/design tools, and is known to impact the popular Electron framework (which has already been patched). CMS frameworks such as WordPress are also likely to require updating. There are no real alternate mitigation methods available other than updating to patched versions of software.

Projects will need to update to at least version 1.3.2 of libwebp to address the security vulnerability. The issue should also provide another nudge for Software Bill of Materials (SBOM) implementation to quickly comb through instances that may be scattered throughout various libraries.