Addressing the Critical libwebp Vulnerability: Our Steps at Level

Last week, a concerning zero-day vulnerability was disclosed in libwebp - tagged as CVE-2023-5129. This flaw in the library used for web image processing had the potential to wreak havoc across many Linux distributions. Here's a breakdown of how we addressed it at Level.

1. What's the Buzz About?

libwebp is a popular library that's present in many Linux distributions including Debian, Ubuntu, Alpine, Gentoo, SUSE, and more. The vulnerability in question affected versions 0.5.0 to 1.3.1 of the library. It achieved a “perfect” CVSS score of 10.0, indicating its extreme criticality.

Researchers have noted similarities between this flaw and the buffer overflow vulnerability CVE-2023-41064 found in Apple’s ImageI/O framework. Both vulnerabilities highlight the importance of maintaining up-to-date systems.

2. The Problem Statement

According to Ubuntu's official security notice:

"It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could exploit this to crash the system or even execute arbitrary code."

3. The Solution

Both Ubuntu and Debian promptly released patches to fix the vulnerability. Here are the correct versions for different distributions:

• Ubuntu 23.04: libwebp7 - 1.2.4-0.1ubuntu0.23.04.2
• Ubuntu 22.04: libwebp7 - 1.2.2-2ubuntu0.22.04.2 (the version Level uses)
• Ubuntu 20.04: libwebp6 - 0.6.1-2ubuntu0.20.04.3
• Debian 12 (bookworm): libwebp 1.2.4-0.2

You can also refer to Debian’s CVE tracker for more details.

4. Our Approach at Level

To help our clients, we wrote a script that checks for the patched versions on both Ubuntu and Debian systems.

copy
#!/bin/bash
# -----------------------------------------------------------------------------
# This script is provided as a convenience for Level.io customers. We cannot 
# guarantee this will work in all environments. Please test before deploying
# to your production environment.  We welcome contribution to the scripts in 
# our community repo!
# -----------------------------------------------------------------------------
#
# -----------------------------------------------------------------------------
# Script Configuration
# -----------------------------------------------------------------------------
# Name: Linux Vulnerability - libwebp CVE-2023-41064
# Description: This script is designed to identify and verify the installation of 
# specific versions of the libwebp package on Linux systems.
# Language: Bash
# Timeout: 100
# Version: 1.0
#

# Detect the OS release name/version
OS_RELEASE=$(lsb_release -cs)
DESIRED_VERSION=""

# Assign the desired version based on OS release
case $OS_RELEASE in
    "jammy")  # Ubuntu 22.04
        DESIRED_VERSION="1.2.2-2ubuntu0.22.04.2"
        ;;
    "focal")  # Ubuntu 20.04
        DESIRED_VERSION="0.6.1-2ubuntu0.20.04.3"
        ;;
    "bookworm")  # Debian 12
        DESIRED_VERSION="1.2.4-0.2+deb12u1"
        ;;
    *)
        echo "OS not recognized or not supported."
        exit 1
        ;;
esac


# Search for libwebp installations using apt
LIBWEBP_VERSIONS=$(apt list --installed 2>/dev/null | grep libwebp | awk -F'/' '{print $2}' | awk '{print $2}')

# Check if the desired version is found and flag if others are found
FOUND_DESIRED=false
FOUND_OTHER=false

for version in $LIBWEBP_VERSIONS; do
    if [[ $version == $DESIRED_VERSION ]]; then
        FOUND_DESIRED=true
    else
        FOUND_OTHER=true
        echo "Different version of libwebp found: $version"
        exit 1
    fi
done

if [ "$FOUND_DESIRED" = true ]; then
    echo "Desired version of libwebp ($DESIRED_VERSION) for $OS_RELEASE is installed."
    exit 0
fi

if [ "$FOUND_OTHER" = false ]; then
    echo "No other versions of libwebp found."
    exit 0
fi

This script uses the system's package manager to verify the installed libwebp versions. Thankfully, our Level's scripting engine can run this across all your Ubuntu and Debian devices in a couple clicks.

1. Create a New Script: Name it "Linux Vulnerability - libwebp CVE-2023-5129"

2. Filter Your Devices

3. Execute the Script

4. Preview and Run Execution

From our analysis, only one of our servers was found to be vulnerable. But that's not because we got lucky. It's because our proactive server patch policy at Level ensured the majority of our servers were already patched. Our policy updates thrice a week at 2am EDT, and any security-related patches are applied immediately without delay.

Additionally, we also manually triggered our patch policy and executed rolling reboots to ensure that the patch took effect on all servers. A final run of our script confirmed our success in mitigating the threat.

A final run of our script confirmed our success in mitigating the threat.

5. Moving Forward

Ensuring system security is a continuous process. While tools and policies can largely automate it, human intervention, analysis, and proactivity are indispensable. Always keep an eye on security bulletins, and take timely action.