Oligo and WebP 0-Day: Keep Calm and Check the Runtime Context
September 28, 2023
The security world scrambled to patch applications after the announcement of the WebP vulnerability (CVE-2023-41064, CVE-2023-4863, CVE-2023-5129) in libwebp versions 0.5.0 to 1.3.1. This heap buffer overflow flaw stems from a function called “BuildHuffmanTable.”
Attackers can use specially modified image files that cause libwebp to create tables that are too big, causing data to overflow into other locations and allowing malicious actors to exploit the application. Already, Google has confirmed that exploits have been found in the wild, targeting the iPhone of “an individual working for a Washington DC-based civil society organization.”
An actively exploited vulnerability with a base CVSS score of 10.0 – does the discovery of the WebP vulnerability mean the weekend is canceled in favor of patching a new zero-day?
WebP has been widely adopted – including across Oligo’s customer base – and with active exploits already in the wild, we immediately began an assessment of our customer base to see whether they could be impacted.
Complicating the security picture, libwebp is also a dependency for many other open source libraries such as the famous python image processing library “pillow”, and is pre-installed in many container images of famous frameworks such as “ngnix”, “grafana” and many more.
What we found was reassuring: the vast majority of our customers aren’t exposed to this vulnerability, even if they are using the vulnerable versions of libwebp.
That’s because the Oligo platform doesn’t just check to see if libwebp is part of your software – the way software composition analysis (SCA) tools do. Instead, Oligo looks at runtime to see whether the vulnerable function is loaded, running, and exploitable.
While many of our customers had the vulnerable library in their code base, Oligo makes it possible to get a deeper look at the runtime context.
Once they run the search, most of them will see a result that looks like this:
Of course, some customers are running the vulnerable library in a way that can be exploited. We’ve already reached out to these customers personally – and in their scan, they’ll see a different result:
When we analyzed our customer base, we discovered that over 90% of our customers using libwebp were not using the library in a way that could be exploited by the WebP vulnerability.
Oligo is the only company capable of analyzing runtime behavior down to the function level to understand whether this vulnerability could have a massive impact – or none at all.
The upshot: users of static vulnerability scanners (like traditional SCA tools) are probably spending their weekend patching this vulnerability due to its high CVSS score, whether it’s actually exploitable or not. Companies using Oligo can patch only if they actually need to – and can free their teams from an unnecessary weekend patching “fire drill.”
Want to scan your applications to find real, exploitable risks – and to determine when even critical vulnerabilities, like WebP, are non-exploitable in your code? Our team has developed a complimentary bash script to evaluate whether the vulnerable WebP-decode function is being executed. Schedule a session for a free WebP-focused assessment to precisely determine if the WebP-decode function is executed in your environment.
Oligo helps organizations focus on true exploitability, streamlining security processes without hindering developer productivity.
