On 7 September 2023, Apple released emergency security updates to fix a buffer overflow vulnerability (CVE-2023-41064) impacting macOS, iOS, iPadOS, and watchOS products that was used in a zero-click exploitation chain by the NSO Group. Shortly after, on 11 September 2023, Google released an update to fix a buffer overflow vulnerability (CVE-2023-4863) in Google Chrome, which was reported by Apple’s Security Engineering and Architecture (SEAR) and Citizen Lab. Both vulnerabilities were nearly identical and listed as actively exploited, leading to confusion across the security community.
On 25 September 2023, after researchers discovered that the vulnerability impacted more than just the Google Chrome browser, a new CVE (CVE-2023-5129) and severity rating (CVSS 10 – Critical) was assigned to the vulnerability. Two days later, CVE-2023-5129 was rejected by the CVE Numbering Authority, deeming it a duplicate of CVE-2023-4863. CVE-2023-4863’s scope was changed to reflect the downstream impact of the libwebp vulnerability. According to the updated CVE scope, in addition to Google Chrome, the vulnerability affects all versions of libwebp prior to 1.3.2.
Beyond macOS, iOS, iPadOS, watchOS, and Google Chrome, the vulnerabilities cited here affect every application using a vulnerable version of the open source libwebp library, which encodes and decodes images in the WebP format. Major Linux distros, including Debian, Ubuntu, SUSE, and RedHat have released security fixes for the libwebp and chromium packages.
With a specially crafted WebP image file, threat actors could write data out of bounds of the heap causing a Denial of Service (DoS) condition or arbitrary code execution without user interaction.
According to Citizen Lab, CVE-2023-41064 was used by the NSO Group to compromise iPhones without user interaction since at least early-September 2023. In a security bulletin we published on September 8th, we detailed the zero-click exploitation chain (BLASTPASS) for the Apple vulnerability. Although limited details have been made available about exploitation of this vulnerability, it is important to update all products that leverage the library as additional exploitation scenarios could be possible.
We have not identified a public proof of concept (PoC) exploit that allows for code execution; however, we have identified a PoC exploit for a DoS condition. Threat actors could leverage the DoS PoC exploit as a starting point to develop a PoC exploit that leads to arbitrary code execution.
Recommendations for CVE-2023-4863
Closely Monitor Software Vendor Patch Advisories Related to CVE-2023-4863
The vulnerability has been patched in the latest version of libwebp; however, the security patch is not automatically applied to software products that use the library under the hood of their code, such as electron-based applications and Chromium-based browsers. Remediating CVE-2023-4863 in third-party software products is only possible by applying the official security updates from vendors as they patch their products.
We strongly recommend monitoring software vendor advisories for security updates that remediate CVE-2023-4863 in your environment and apply the security update promptly.
Upgrade Apple Products to Fixed Version
Arctic Wolf strongly recommends upgrading MacOS to MacOS Ventura 13.5.2. The update can be performed on an Apple Mac device by going to System Settings > Software Update.
Arctic Wolf also recommends ensuring that iPhone and iPad devices with company data are updated with their respective updates to iOS 16.6.1 and iPadOS 16.6.1 by going to Settings > General > Software Update.
Note: Citizen Lab urges all at-risk users to enable Lockdown mode as this has been confirmed by Apple’s Security Engineering and Architecture team that Lockdown Mode blocks this particular attack.
Please follow your organisations patching and testing guidelines to avoid operational impact.
Update Google Chrome to the Latest Stable Update
Arctic Wolf strongly recommends updating Google Chrome to the latest stable update, 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows