![]() It serves as the reference software implementation for the VP8 and VP9 video coding formats. The libvpx package of WebM VP8/VP9 Codec SDK is a free software video codec library from Google and the Alliance for Open Media (AOMedia). Heap buffer overflow occurs when data is written beyond the allocated boundaries of a program’s memory heap, potentially leading to a denial of service or remote code execution Heap is a data structure that stores data of a running program, the data is stored in a variable amount that won’t be known until the program is running. This is a heap buffer overflow vulnerability in the libvpx package of WebM VP8/VP9 Codec SDK. While libvpx seems to be less widespread than libwebp, Rezilion has also identified the vulnerable library in several container images’ latest versions, collectively downloaded and deployed over 100 million times such as elixir, erlang, silverpeas, gazebo, ros, and nuxeo. Examples include: gstreamer1-plugins-good, gstreamer-plugins-bad-free, ffmpeg-libs, libgd3, Microsoft vcpkg, Telegram and Telegram Desktop, FFmpeg, SmartTubeLegacy, Openai Retro, Google ExoPlayer, Natron. Rezilion analysis reveals that there are several common Linux applications that contain or use the vulnerable libvpx package as a dependency. Furthermore, they both have existing exploits in the wild and are codec libraries serving the same purpose – encoding and decoding various formats.Both involve attackers using crafted HTML pages as their attack vector.Both later had their CPE values updated to reflect their association with webmproject libraries that are dependencies of many other software products ( libwebp & libvpx ).,.Both were disclosed by Google and were initially believed to affect only Chrome,.Both CVEs are heap overflow vulnerabilities.These two vulnerabilities share numerous similarities: It bears a striking resemblance to our recent research on CVE-2023-4863 released less than two weeks ago. If this sounds familiar, you’re absolutely right! However, further investigation revealed that it resides in the libvpx library of the WebM VP8/VP9 Codec SDK. Similarly to CVE-2023-4863 Initially, this vulnerability was associated with Chrome. This particular vulnerability allows remote attackers to execute heap corruption through the use of a crafted HTML page. While the likelihood of exploitation isn’t clear yet, this classification makes the vulnerability an urgent concern that requires immediate attention.ĬVE-2023-5217 is classified as a heap buffer overflow vulnerability with a high CVSS score of 8.8. On October 2nd, 2023, CISA added this vulnerability to their KEV Catalog, signifying that it is being actively exploited in the wild. ![]() Notably, one of these fixes, identified as CVE-2023-5217, was highlighted for having an existing exploit in the wild. On September 27th, 2023 Google released an update including 10 security fixes. By Ofri Ouzan & Yotam Perkal, Rezilion Security Research
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |