Security

Addressing the Critical libwebp Vulnerability: Our Steps at Level

Last week, a concerning zero-day vulnerability was disclosed in libwebp - tagged as CVE-2023-5129. This flaw in the library used for web image processing had the potential to wreak havoc across many Linux distributions.

Jacob Haug

Monday, October 2, 2023

Addressing the Critical libwebp Vulnerability: Our Steps at Level

Last week, a concerning zero-day vulnerability was disclosed in libwebp - tagged as CVE-2023-5129. This flaw in the library used for web image processing had the potential to wreak havoc across many Linux distributions. Here's a breakdown of how we addressed it at Level.

1. What's the Buzz About?

libwebp is a popular library that's present in many Linux distributions including Debian, Ubuntu, Alpine, Gentoo, SUSE, and more. The vulnerability in question affected versions 0.5.0 to 1.3.1 of the library. It achieved a “perfect” CVSS score of 10.0, indicating its extreme criticality.

Researchers have noted similarities between this flaw and the buffer overflow vulnerability CVE-2023-41064 found in Apple’s ImageI/O framework. Both vulnerabilities highlight the importance of maintaining up-to-date systems.

2. The Problem Statement

According to Ubuntu's official security notice:

"It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could exploit this to crash the system or even execute arbitrary code."

3. The Solution

Both Ubuntu and Debian promptly released patches to fix the vulnerability. Here are the correct versions for different distributions:

  • Ubuntu 23.04: libwebp7 - 1.2.4-0.1ubuntu0.23.04.2
  • Ubuntu 22.04: libwebp7 - 1.2.2-2ubuntu0.22.04.2 (the version Level uses)
  • Ubuntu 20.04: libwebp6 - 0.6.1-2ubuntu0.20.04.3
  • Debian 12 (bookworm): libwebp 1.2.4-0.2

You can also refer to Debian’s CVE tracker for more details.

4. Our Approach at Level

To help our clients, we wrote a script that checks for the patched versions on both Ubuntu and Debian systems.

copy
#!/bin/bash # ----------------------------------------------------------------------------- # This script is provided as a convenience for Level.io customers. We cannot # guarantee this will work in all environments. Please test before deploying # to your production environment. We welcome contribution to the scripts in # our community repo! # ----------------------------------------------------------------------------- # # ----------------------------------------------------------------------------- # Script Configuration # ----------------------------------------------------------------------------- # Name: Linux Vulnerability - libwebp CVE-2023-41064 # Description: This script is designed to identify and verify the installation of # specific versions of the libwebp package on Linux systems. # Language: Bash # Timeout: 100 # Version: 1.0 # # Detect the OS release name/version OS_RELEASE=$(lsb_release -cs) DESIRED_VERSION="" # Assign the desired version based on OS release case $OS_RELEASE in "jammy") # Ubuntu 22.04 DESIRED_VERSION="1.2.2-2ubuntu0.22.04.2" ;; "focal") # Ubuntu 20.04 DESIRED_VERSION="0.6.1-2ubuntu0.20.04.3" ;; "bookworm") # Debian 12 DESIRED_VERSION="1.2.4-0.2+deb12u1" ;; *) echo "OS not recognized or not supported." exit 1 ;; esac # Search for libwebp installations using apt LIBWEBP_VERSIONS=$(apt list --installed 2>/dev/null | grep libwebp | awk -F'/' '{print $2}' | awk '{print $2}') # Check if the desired version is found and flag if others are found FOUND_DESIRED=false FOUND_OTHER=false for version in $LIBWEBP_VERSIONS; do if [[ $version == $DESIRED_VERSION ]]; then FOUND_DESIRED=true else FOUND_OTHER=true echo "Different version of libwebp found: $version" exit 1 fi done if [ "$FOUND_DESIRED" = true ]; then echo "Desired version of libwebp ($DESIRED_VERSION) for $OS_RELEASE is installed." exit 0 fi if [ "$FOUND_OTHER" = false ]; then echo "No other versions of libwebp found." exit 0 fi

This script uses the system's package manager to verify the installed libwebp versions. Thankfully, our Level's scripting engine can run this across all your Ubuntu and Debian devices in a couple clicks.

1. Create a New Script: Name it "Linux Vulnerability - libwebp CVE-2023-5129"

2. Filter Your Devices

Set filters to refine the device list.
Set filters to refine the device list.

3. Execute the Script

Select all the relevant devices and run a script.
Select all the relevant devices and run a script.

4. Preview and Run Execution

From our analysis, only one of our servers was found to be vulnerable. But that's not because we got lucky. It's because our proactive server patch policy at Level ensured the majority of our servers were already patched. Our policy updates thrice a week at 2am EDT, and any security-related patches are applied immediately without delay.

Make sure to include Security Updates.
Make sure to include Security Updates.
Set a repeating schedule.
Set a repeating schedule.

Additionally, we also manually triggered our patch policy and executed rolling reboots to ensure that the patch took effect on all servers. A final run of our script confirmed our success in mitigating the threat.

Patch policies can be run instantly at any time if needed.
Patch policies can be run instantly at any time if needed.

A final run of our script confirmed our success in mitigating the threat.

Reviewing results to make sure all is good to go.
Reviewing results to make sure all is good to go.

5. Moving Forward

Ensuring system security is a continuous process. While tools and policies can largely automate it, human intervention, analysis, and proactivity are indispensable. Always keep an eye on security bulletins, and take timely action.

Level: Simplify IT Management

At Level, we understand the modern challenges faced by IT professionals. That's why we've crafted a robust, browser-based Remote Monitoring and Management (RMM) platform that's as flexible as it is secure. Whether your team operates on Windows, Mac, or Linux, Level equips you with the tools to manage, monitor, and control your company's devices seamlessly from anywhere.

Ready to revolutionize how your IT team works? Experience the power of managing a thousand devices as effortlessly as one. Start with Level today—sign up for a free trial or book a demo to see Level in action.