Actively Exploited Zero Click RCE Vulnerabilities: CVE-2023-4863 and CVE-2023-5217

CVE-2023-4863 and CVE-2023-5217 are two critical zero-click remote code execution (RCE) vulnerabilities in common image rendering libraries used by all Chromium-based web browsers as well as many other popular mobile and desktop applications. Both share the same CVSS score of 8.8. More specifically, CVE-2023-4863 is a vulnerability in the libwebp library while CVE-2023-5217 is a vulnerability in the libvpx library.  Neither  CVE-2023-4863 or CVE-2023-5217 require user interaction and both are remote code execution (RCE) vulnerabilities that can be exploited when malicious content is supplied to any client application that uses the affected image processing libraries. In a typical attack a victim could simply visit a website that includes a malicious WebP image or otherwise these vulnerabilities may be used to target specific individuals directly via social media messages, phishing, or other social engineering techniques.

Both CVEs have been observed to be actively exploited in the wild and have been added to CISA’s Known Exploited Vulnerabilities Catalog. CVE-2023-4863 was first discovered and reported by Citizen Lab on September 9th, 2023.  Dubbed BLASTPASS, it was uncovered that the flaw was being actively used to infect devices with NSO Group’s infamous Pegasus spyware. Being actively exploited greatly increases the risk associated with these vulnerabilities and updates to all impacted should be given the highest priority.

Scope Of Impact

The scope of impact for CVE-2023-4863 and CVE-2023-5217 includes any applications or other resources that rely on libwebp (for WebM video format) or libvpx (for WebP image for image). Both CVEs are client-side vulnerabilities, meaning that the end user of an affected application (such as a malicious website) is at risk of being exploited. The use of the WebP and WebM formats is not unique to Chrome or even web browsers but is incorporated in many other applications across all major OS platforms including Windows, macOS, and Linux, so the use of libwebp and libvpx are widespread throughout the digital media ecosystem.

Examples of technologies that are confirmed to be impacted include:

• Apple products: Dubbed BLASTPASS, the iOS exploit chain was first discovered on September 7th 2023, and was found to deliver NSO Group’s Pegasus spyware. Apple has published two alternate CVEs for the vulnerability; CVE-2023-41064 and CVE-2023-41061. Updates have been released for affected devices including iPhones, iPads, Mac computers, and Apple Watches. Apple recommends that individuals who feel they may be targeted enable Lockdown Mode on their devices which prevents many forms of cyber attack by enforcing stricter limitations on the device including which image formats may be loaded.
• Google Products: Updates to the Chromium engine have been released to mitigate the impact to Chrome and other browsers that use the Chromium engine.
• Microsoft Products: Microsoft announced that CVE-2023-5217 impacts their Microsoft Edge browser since it is based on the Chromium browser engine, as well as Microsoft Teams and Skype.
• Programming Language Libraries: Impacted languages include ElectronJS developed and maintained by OpenJS Foundation, Python’s Pillow module, Nodejs’s node-webp, Java’s ImageIO, Ruby’s MiniMagick, and GoLang’s go-webp software development libraries. FFmpeg utility and the Natron software for video effects and motion graphics also use the libwebp library.
• Other Products: Other mainstream browsers impacted by these vulnerabilities include Mozilla’s Firefox browsers for all platforms as well as their Thunderbird email client. In addition, many Enterprise office productivity applications such as Citrix Workspace, X, and X and Enterprise Linux OS vendors including Red Hat, Ubuntu, Debian, Gentoo, and SUSE, are at various stages of issuing patches for libwebp and libvpx.

A Complete Attack Trajectory and Associated ATT&CK TTP

These two vulnerabilities have all the prerequisites to be classified as high severity.  They are considered “zero-click” meaning that an attacker does not need to use sophisticated social engineering techniques to exploit them.  These flaws can be exploited when a victim simply visits a website that hosts an infected WebP resource, making a watering hole attack a very viable infection path.  However, individuals may be targeted with social engineering contexts enticing them to open malicious links or files.

MITRE ATT&CK TTP of the exploit chain are:

• Drive-By Compromise [T1189]: Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Unlike Exploit Public-Facing Application [T1190], the focus of this technique is to exploit software on a client endpoint upon visiting a website.
• Shared Modules [T1203]: Adversaries may execute malicious payloads via loading shared modules.
• Exploitation for Client Execution [T1203]: Adversaries may exploit software vulnerabilities in client applications to execute code.
• Command and Control [TA0011]: Attackers control a system within a victim network to remotely execute arbitrary commands, import additional malware tools, and avoid detection.

MITRE Common Weakness Enumeration (CWE) references include:

• Out-of-bounds Write [CWE-787]: Writing data past the end, or before the beginning, of the intended memory buffer.
• Stack-based Buffer Overflow [CWE-121]: A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.
• Heap-based Buffer Overflow [CWE-122]: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory.

After initial infection, the attack trajectory depends on the nature of the attacker-supplied code that is executed. Initially attackers will leverage the run-time permission context of the exploited application to download and install a second-stage malware payload with more advanced capabilities and to establish remote command and control (C2).  If the attacker successfully gains C2, they will seek to establish persistence, meaning their malware will be loaded every time the infected system reboots, and attempt to escalate privileges, enumerate the local network, move laterally to higher value targets, and execute on objectives.

The final stage objectives also heavily depends on the particular goals of the threat actor but typically may include stealing sensitive data [TA0010] such as account credentials [TA0006] to be cracked offline [T1110.002] and subsequently used for account takeover, importing and executing ransomware [T1486] and demanding payment for a decryptor, or installing a rootkit [TA1014] for the purpose of maintaining persistent [TA0003] and covert spyware.

What is VP8 encoding?

VP8 is a video codec developed as an open and royalty-free alternative to proprietary codecs like H.264. The Internet Engineering Task Force (IETF) published the VP8 Data Format and Decoding Guide as RFC 6386 in November 2011. The protocol itself was developed by On2 Technologies. Google acquired On2 Technologies in February 2010, and later open-sourced VP8 as part of the WebM project. The VP8 video codec is widely used for web video, real-time communication (WebRTC), and various other applications. The libvpx library is a cross-platform, open-source software library that provides an implementation of VP8 and VP9 video codecs.

Summary

CVE-2023-4863 and CVE-2023-5217 are actively exploited client-side, zero-click, remote code execution (RCE) vulnerabilities in widely-used image rendering libraries. Rated with CVSS 8.8 critical severity, they impact all Chromium-based web browsers and numerous desktop and mobile applications. As of October 27th, 2023, security updates are currently at various stages of being prepared.

CVE-2023-4863 resides in the libwebp library, while CVE-2023-5217 is linked to libvpx and they allow attackers to achieve zero-click RCE by providing malicious WebM formatted video or WebP formatted image content to a vulnerable application on a victim’s device.

Victims may encounter these threats by visiting compromised websites or opening other malicious content such as images or videos Security teams should assess their organization’s degree of exposure to CVE-2023-4863 and CVE-2023-5217 and apply updates as soon as they become available.