CVE-2023-4863 and WebP, Not Just a Browser Issue

Since this came out in the news, it’s been talked about how the scope of this exploit is not just browser based. Is Rapid7 discussing/planning on how it will adjust or add checks for whatever else software is affected (not just browsers)?

Adding to this that there is a new CVE created for an additional check against software/apps with libwebp.

CVE-2023-5129 is rejected: ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Duplicate of CVE-2023-4863.

Thanks for the update. I did question why a new CVE was created for this. However, my initial question still stands about creating new checks for apps/software that are going to be affected. I imagine R7 is working on it (them having to wait on vendors). We’ll see.

Hello, is there a template available to check if browsers are impacted?

thank you

The template you use for your normal scans should already have the check imported and the scanners scanning for it. what template do you use regularly?

I use exhaustive and full audit templates.

Yeah, so they should automatically be populated with latest checks to include cve-2023-4863 unless modifications (by you or another) have been made within the template

Yep, so this is where our recurring coverage is a pretty handy place to start: Recurring vulnerability coverage | InsightVM Documentation
For any vendor/software under the recurring coverage that acknowledges and provides remediation for CVE-2023-4863, we would create vulnerability content for. There are of course somtimes some exceptions but this mostly holds true.

There’s already a decent degree of content available, I’ve put a few examples (not an exhaustive list!) below of vendors we already have vulnerability content for and the advisories referenced.

The tl;dr is that if a vendor/software we have coverage for puts forward a remediation for CVE-2023-4863, we would expect to create vulnerability content for that software.

1 Like