home.social
Sign in Create account

#cve_2023_4863 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cve_2023_4863, aggregated by home.social.

  1. Caitlin Condon @[email protected] ·

    It's been a few months since last year's #libwebp 0day (#CVE_2023_4863) came out, and I'm curious about whether the alarm has ratcheted down. It kinda seemed like this was potentially a pretty bad vuln if you're a political dissident using Electron apps to organize against oppressive governments, but probably not a super dangerous situation for most corporate networks (with basically no chance of broad automated exploitation). But as I think @TomSellers pointed out early on, the tail of apps that use the vulnerable library was always going to be long, and that usually means it's hard to track just how many are/were exploitable out of the box, and that it could be years before high-impact (remote) attack vectors are identified and fixed.

    This is a fantastic overview: blog.isosceles.com/the-webp-0d

    #libwebp #cve_2023_4863
  2. Taggart :donor: @[email protected] ·

    Okay, a continually-updated list of Electron apps and their Electron versions, and whether they're vulnerable to #CVE_2023_5129, aka #CVE_2023_4863.

    https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit?usp=sharing


    And for those of you who refuse to click on Google links:     https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec

    #cve_2023_5129 #cve_2023_4863
  3. Taggart :donor: @[email protected] ·

    For those tracking CVE-2023-5129 CVE-2023-4863, aka the #Libwebp fiasco, here's how to validate if your Electron app is vulnerable.

    The     patched version of Electron is v26.2.1. To confirm what version of Electron your app is using, you need to run strings against the executable. The version is in the app's User-Agent, so:

    strings app.exe | grep "Electron/"

    Will do the trick. The attached image shows this method for Teams, which tracks with their     published version listings.

    I'd love it if folks who try this with updated apps post their results as replies here, so we can collect this     #ThreatIntel.

    Edited to add that backports also are patched:     22.3.24, 24.8.3, and 25.8.1.

    #CVE_2023_4863 #InfoSec #CyberSecurity

    #libwebp #threatintel #cybersecurity #infosec #cve_2023_4863
  4. Royce Williams @[email protected] ·

    @campuscodi This article claims that it is a new CVE for the same vulnerability, to clarify scope?

    stackdiary.com/heap-buffer-ove

    But this seclists thread seems to say that CVE-2023-5129 is associated with libwebp commits that are different from the fixes associated with CVE-2023-4863 [Edit: but these are described by the issuer as cleanups]:

    seclists.org/oss-sec/2023/q3/2

    The seclists poster is reaching out to double-check whether it's new. Solar Designer's assessment is that it's probably the same (but that the cleanups in the code should be examined anyway):

    seclists.org/oss-sec/2023/q3/2

    #CVE20235129 #CVE20234863 #CVE_2023_4863 ##CVE_2023_5129 #libwebp

    #cve20235129 #cve20234863 #cve_2023_4863 #cve_2023_5129 #libwebp