Lately, it seems we’re all plagued by zero-day and dependency-related vulnerabilities. Log4Shell had everyone scrambling in 2021, and this September brought new vulnerabilities from the heap buffer overflow in the libvpx and the open-source libwebp library dependencies. We’ve all got a case for post-traumatic stress disorder (PTSD).
Your threat team is continually analyzing anomalies in the environment and uncovering vulnerabilities and other malicious threats. At the same time, security researchers are finding dependency-related vulnerabilities and malicious threats running in the wild. Leaving businesses working double time to hopefully patch and stop them before they come under attack.
Managing Dependency Vulnerabilities
Patching and updating software to fix vulnerabilities has become a 24/7 job. Even when the team or an MSSP schedules patching, it seems never-ending. Just when everything seems up to date, there’s something new to patch.
Just skim through any threat report from Microsoft or others, and it all comes into focus. There are new adversaries looking for vulnerabilities continually. No matter the source of the security flaw, just one malicious attack from a cybercriminal could have disastrous consequences for you in the short or long term.
For every piece of software in a business’s infrastructure, there are dependencies upon dependencies. With the inclusion of open-source libraries, managing dependencies and their vulnerabilities has become more challenging.
Log4j Log4Shell Vulnerabilities in 2021
In December 2021, we saw the discovery of the Log4Shell zero-day critical vulnerability that targets the Log4j Java library. The vulnerability is a risk to all systems and apps where it is present.
While many zero-day vulnerabilities can seem similar to each other, this one was different. It was the ease of exploitability that set it apart, and it didn’t need any authentication to carry out the exploit.
Many cybersecurity leaders were very concerned due to the number of software applications and devices involved. Mitigating the problem led to a series of Common Vulnerabilities and Exposures (CVE) tracking and patches.
Libvpx Overview: CVE-2023-5217
Researchers recently discovered a vulnerability that originates in the video codec library known as libvpx. A commercial spyware vendor was using the exploit.
The exploit affects Chrome, Firefox, and other browsers that use the libvpx library. It could expose users to a heap buffer overflow where the hacker could inject malicious code.
The vulnerability is currently active and is being exploited. Since it can enable Remote Code Execution (RCE), CISA requires all government organizations to patch the affected application by October 23, 2023.
The vulnerability is described as a heap buffer overflow in the V8 encoding. It could allow a remote threat actor to exploit heap corruption using a malicious HTML page. Researchers say an attacker would likely send a potential victim a link directed to the malicious page, hoping the target’s browser isn’t patched.
Experts recommend that users be reminded to keep browsers updated and informed about vulnerabilities that can stem from dependent libraries. There was an earlier heap buffer flow attack that impacted a few different applications that use the WebP Codec. It makes it an excellent time to emphasize how critical updates are to an organization’s system security.
Since the discovery of this vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities Catalog. They acted after reviewing active exploitation evidence.
Libwebp Overview: CVE-2023-4863
Apple’s Security Engineering and Architecture (SEAR) team and The Citizen Lab reported the discovery of the libwebp vulnerability. Researchers say that the vulnerability is related to the recent BLASTPASS attack. The attack was responsible for a zero-day exploit from an NSO Group that targeted iPhones.
The libwebp vulnerability is basically a heap overflow that is involved in decoding webp images in the lossless format. To encode and decode Webp images, Google developed the library libwebp. The vulnerability is found in how the images are parsed with lossless compression.
The vulnerability enables an attacker to alter the Huffman tables that the library is using. By allocating less memory than is necessary, it leads to a heap overflow and data being written beyond the bounds of memory.
At first, it was reported that only browsers were impacted on account of Chromium carrying the vulnerabilities. Subsequently, researchers say it is the underlying libraries of libwebp and libvpx that contain the vulnerabilities, which indicates and much wider impact.
Applications are only vulnerable if they need to use the V8 or V9 codecs with libvpx or the WebP lossless functions of libwebp. Not all uses of the libraries are indicative of a vulnerability.
Mitigating and Patching
By mapping out applications that could be vulnerable, teams can discover a list of potentially vulnerable devices and create an actionable plan for patching.
Teams must consider which versions of libwebp and libvpx applications load as only one of the parameters necessary in determining what patches are needed. Due to all the variables, there isn’t a single patch that can mitigate this vulnerability.
Since there aren’t official patches for all affected applications, teams should remain cautious. Monitoring workloads should be prioritized since they can be unpatched or otherwise vulnerable.
Dependencies in applications continue to increase and along with them, the number of vulnerabilities being discovered. Threat attackers see these vulnerabilities as time savers for them, since they don’t need to search for complex exploits.
Developers and analysts must keep abreast of what dependencies are present in every application. While patching teams should make sure updates are implemented as soon as they are released.