Libwebp RCE (CVE-2023-4863)

Syncro is aware of the libwebp RCE (CVE-2023-4863) and wanted to provide an update to our partners. We have no evidence that the Syncro platform was compromised due to this vulnerability.

While the main Syncro platform never accepted webp image uploads, after some deeper technical research we determined that we should still upgrade the webp library because renamed webp files could have been uploaded. The Customer Portal does accept webp image uploads directly.

As of 9/27/2023 the main Syncro platform was updated and fully mitigated with respect to the vulnerability. Throughout today (9/28/2023) we have upgraded all internal systems that contained the vulnerable library.

As an additional tool, we will be creating a script for you to use within Syncro to identify any vulnerable machines and take action on them. We will post it to the community script library when it is ready to share.

If you are interested, here are some links with more information about the vulnerability:

• InfoSec professional, Michael Taggart, is updating a list of vulnerable apps here
• Snyk has an informational post about the vulnerability here

To complete our response to this issue, we are currently doing an investigation to confirm that our platform has not been victim to this vulnerability and will notify our partner base accordingly.

Hey folks - We wrote a PowerShell script for you that should help you pin down which computers need patches installed. Here’s how it works:

1. Run it on any Syncro agent

2. It will create an RMM alert if any applications are installed on that machine that match Michael Taggart’s list of vulnerable apps.

NOTE: This does not tell you that those applications are vulnerable, it will only tell you that they’re installed. You’ll need to check the version number on the application and reference it to Michael’s list to check to see if that version needs to be patched.

Here’s the script:

# Set the DebugPreference to view debug messages
$DebugPreference = 'Continue'

# Import Syncro Module
Import-Module $env:SyncroModule

# Download and import the CSV
$url = "https://gist.githubusercontent.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec/raw/8ad740330a071694450e7b84482b389e6a94abb0/20230927_electron-versions.csv"
$csvContent = Invoke-WebRequest -Uri $url -UseBasicParsing
$apps = $csvContent.Content | ConvertFrom-Csv

# Expanded registry paths to search for installed apps
$registryPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families",
    "HKLM:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families"
)

# Gather all installed apps from these paths
$installedApps = $registryPaths | ForEach-Object {
    Get-ChildItem $_ -ErrorAction SilentlyContinue
} | ForEach-Object {
    Get-ItemProperty $_.PSPath
}

$foundApplications = $false
$outputString = "" # Initialize an empty string to collect output

foreach ($app in $apps) {
    $installedApp = $installedApps | Where-Object { $_.DisplayName -match [regex]::Escape($app.app_name) }

    if ($installedApp) {
        if (-not $foundApplications) {
            $outputString += "Applications have been found installed on the machine that may be vulnerable to the WebP vulnerability. Please check their versions to see if they are affected.`r`n"
            $foundApplications = $true
        }
        
        $appName = $installedApp.DisplayName
        $appVersion = $installedApp.DisplayVersion
        $installDate = $installedApp.InstallDate
        $vendor = $installedApp.Publisher

        # Append the details to outputString
        $outputString += "`nApplication Name: $appName`r`n"
        $outputString += "Application Vendor Name: $vendor`r`n"
        $outputString += "Application Current Version: $appVersion`r`n"
        $outputString += "Application Installed Date: $installDate`r`n"
        $outputString += "Install Location: $($installedApp.InstallLocation)`r`n"
        $outputString += "Quiet Uninstall String: $($installedApp.QuietUninstallString)`r`n"
    }
}

# Only output and create an RMM Alert if an application was found
if ($foundApplications) {
    # Print the outputString to standard output
    Write-Output $outputString

    # Create RMM Alert
    Rmm-Alert -Category 'WebP Vulnerability Check' -Body $outputString
} else {
    Write-Output "No applications found that match the list."
}

Let me know if you have any questions,

Ian

Just an FYI, the script is going to generate alerts from pretty much every computer you run it on since this library is included in so many common apps and the script isn’t actually checking for vulnerable version numbers. Not that I blame Syncro, attempting to check against version numbers is fraught with issues (different formatting, software that doesn’t update the version number in windows when it updates, different app editions with the same names). Just be prepared for a lot of manual work if you’re going to actually go through all the output of this. The most critical applications like browsers and chat apps have already had updates for a while and are pretty good at forcing them on users. It wouldn’t be a bad idea to force a reboot on your users however to make sure the new versions are able to fully apply.

EDIT: Also just occurred to me that the HKCU apps won’t be found if you run the script as SYSTEM and if you run it as Logged In User (which just fails if they’re not) it still won’t find other users apps.

Is this in the community script library?

I modified a script that Richard Jones posted in the Tech Tribe forums that does include version checking. I just tested it on my assets and found 4 (out of about 500) so that helps narrow it down some!

Step 1: Create 2 custom asset fields. One called “WebP” that is a text field and one called “WebP_Check” that is a Check box

Step 2: Create the following powershell script and run against all syncro assets

# import module
Import-Module $env:SyncroModule

# Define the applications and their safe versions
$apps = @{
    'Firefox' = '117.0.1' # Also checks for other versions later
    'Thunderbird' = '115.2.2' # Also checks for '102.15.1' later
    'Brave' = '1.57.64'
    'Tor Browser' = '12.5.4'
    'Opera' = '102.0.4880.46'
}

# Fetch installed applications from both 32-bit and 64-bit registry paths
$installedApps32 = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
                 Select-Object DisplayName, DisplayVersion
$installedApps64 = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
                 Select-Object DisplayName, DisplayVersion

$installedApps = $installedApps32 + $installedApps64

$affectedApps = ""

foreach ($app in $installedApps) {
    $name = $app.DisplayName
    $version = $app.DisplayVersion
    $alertIssued = $false

    # Check for each app
    foreach ($appName in $apps.Keys) {
        if ($name -like "*$appName*") {
            # Special case for Mozilla apps
            if ($appName -contains '*Firefox*' -or $appName -contains '*Thunderbird*') {
                if ([version]$version -lt [version]$apps[$appName] -and [version]$version -ne '102.15.1') {
                    Write-Output "ALERT - $appName is below the recommended version. Current: $version"
                    $alertIssued = $true
                    $affectedApps = $affectedApps + $appName + " "
                }
            } elseif ([version]$version -lt [version]$apps[$appName]) {
                Write-Output "ALERT - $appName is below the recommended version. Current: $version"
                $alertIssued = $true
                $affectedApps = $affectedApps + $appName + " "
            }

            if (-not $alertIssued) {
                Write-Output "OK - $appName version $version is fine."
            }
        }
    }
}

# Special case for Microsoft Edge
$edge = $installedApps | Where-Object { $_.DisplayName -like 'Microsoft Edge' }
$edgeSafeVersions = @('109.0.1518.140', '116.0.1938.81', '117.0.2045.31') | Sort-Object {[version]$_}
# If the Edge version is lower than the earliest safe version
if ($edge -and [version]$edge.DisplayVersion -lt [version]$edgeSafeVersions[0]) {
    Write-Output "ALERT - Microsoft Edge is below the recommended versions. Current: $($edge.DisplayVersion)"
    $affectedApps = $affectedApps + "Edge" + " "
} else {
    Write-Output "OK - Microsoft Edge version $($edge.DisplayVersion) is fine."
}

# For Google Chrome Windows 
$chrome = $installedApps | Where-Object { $_.DisplayName -like 'Google Chrome' }
# If the Chrome version is lower than the safe version
if ($chrome -and [version]$chrome.DisplayVersion -lt [version]'116.0.5845.187') {
    Write-Output "ALERT - Google Chrome Windows is below the recommended version. Current: $($chrome.DisplayVersion)"
    $affectedApps = $affectedApps + "Chrome"
} else {
    Write-Output "OK - Google Chrome version $($chrome.DisplayVersion) is fine."
}

Set-Asset-Field -Name "WebP" -Value $affectedApps
$check = [bool]$affectedApps
if ($check -eq "True") {Set-Asset-Field -Name "WebP_Check" -Value $true} else {Set-Asset-Field -Name "WebP_Check" -Value $false}

Step 3: Create Saved Asset Search where Asset Checkbox Field “WebP_Check” is “Checked”

Step 4: Patch the resulting systems

thank you so much much for the updated script. I am able to search 15 devices with ease.

Thanks for this. I have a couple questions/comments on this:

1. This is great for finding the browsers that are out of date. Based on what I know about this vulnerability, there are hundreds of other applications that could be affected. Would the other applications have their own WebP vulnerability or would they use the same library as the browser?

2. I noticed on one system that it showed chrome version 117.0.5938.132, which is updated and clear of the vulnerability. However, it was actually running on 117.0.5938.92. 132 was installed on the system, but the user hadn’t closed the browser and relaunched recently, so the update was pending.

Thanks for the work on this. It certainly is appreciated.

Is there a way to pull the script output data out as a file for all systems vs going into each one manually? I’m still learning my way around a lot of these features in Syncro.

Edit, I found a way to pull the report on the script but would love the output data as well in a spreadsheet with the items that need to be patched for each asset. Thanks

There’s no way to see script output in bulk, you’d have to modify the script to output the info you want into alerts, tickets (or a single ticket number), a custom field or activity log entries (Log-Activity) you can run a report on/filter on.

1. You’d have to add each app and vulnerable versions. The library isn’t like some others where it’s a separate file necessarily, it may be embedded inside something.
2. Yes, you should force regular reboots for this reason. Also keep in mind Syncro only checks every 6 hours for software changes so the script may say it’s fine but Syncro will still show the old version for a while.

Thanks for the script, Ian! Would it make sense to add this to the Community Script Library?

Is there a way to set this script to uncheck if the application has been patched. It seems if you run it then resolve the issue and run it again it does not uncheck the box.

Hey Jeff! I have been using the script for a few days now and when the issue is resolved and I re-run the script, it does uncheck the box.

In my case, when it did not uncheck the box, I looked and noticed that the workstation had two versions of Firefox installed.

Hello all,

I had issues with Ian’s script, where the app would match against multiple applications. I did some customization to output PSCustomObjects as well as parse when there were multiple matches. The output objects also include what was matched in vulnerable apps. Apps like ‘dat’ had many false positives since it’s a common string. From some testing items such as Teams, version numbers may differ from the GitHub repository, I am assuming from how/where the application was installed. I also used Matthew Taggart’s latest repository. https://github.com/mttaggart/electron-app-tracker/blob/main/electron_apps.csv. Be kind I don’t share my code often. Thanks.

# Import Syncro Module
Import-Module $env:SyncroModule

# Download and import the CSV
$url = 'https://raw.githubusercontent.com/mttaggart/electron-app-tracker/main/electron_apps.csv'
$csvContent = Invoke-WebRequest -Uri $url -UseBasicParsing
$apps = $csvContent.Content | ConvertFrom-Csv

# Expanded registry paths to search for installed apps
$registryPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families",
    "HKLM:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families"
)

# Gather all installed apps from these paths
$installedApps = $registryPaths | ForEach-Object {
    Get-ChildItem $_ -ErrorAction SilentlyContinue
} | ForEach-Object {
    Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue
}

$foundApplications = $false
$outputString = "" # Initialize an empty string to collect output
$FoundArray = @()

foreach ($app in $apps) {
    $installedApp = $installedApps |Where-Object {$_.displayname -ne ''}| Where-Object { $_.DisplayName -match [regex]::Escape($app.app_name) }
    if ($installedApp) {
        if (-not $foundApplications) 
        {
            Write-Host "Applications have been found installed on the machine that may be vulnerable to the WebP vulnerability. Please check their versions to see if they are affected.`r`n"
            $foundApplications = $true
        }
        
        if($installedApp.count -gt 1) #parse where there are mutliple matches and add each match to Found items
        {
            foreach($match in $installedApp)
            {
               $found = [PSCustomObject]@{
                    AppName = $match.DisplayName
                    CurrentVersion = $match.DisplayVersion
                    VulnerableVersion = ($app.electron_version.Replace('^',''))
                    InstallDate = $match.InstallDate
                    Vendor = $match.Publisher
                    Matched = ($app.app_name)
                    InstallLocation = $match.InstallLocation
                    QuietUninstall = $match.QuietUninstallString
                }
                $FoundArray += $found 
            }
        }
        else
        {
            $found = [PSCustomObject]@{
                AppName = $installedApp.DisplayName
                CurrentVersion = $installedApp.DisplayVersion
                VulnerableVersion = $app.electron_version.Replace('^','')
                InstallDate = $installedApp.InstallDate
                Vendor = $installedApp.Publisher
                Matched = ($app.app_name)
                InstallLocation = $installedApp.InstallLocation
                QuietUninstall = $installedApp.QuietUninstallString
            }
            $FoundArray += $found
        }
    }
}

# Only output and create an RMM Alert if an application was found
if ($foundApplications) {
    # Print the outputString to standard output
    Write-Host 'WebP Vulernable App Matches Below'
    $outputNames = $FoundArray.AppName -join ' , '
    $outputString = 'Apps Potentially Vulnerable to WebP: ' + $outputNames
    $FoundArray | Format-List
    
    # Create RMM Alert
    Rmm-Alert -Category 'WebP Vulnerability Check' -Body $outputString
} else {
    Write-Output "No applications found that match the list."
}