ISN 2023-21: Libvpx Vulnerability in Chromium and Firefox

Updated 24 October 2023 (OS 11.09.110 available)

First published 5 October 2023

CVSS 3.1: 8.8 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A vulnerability has been found in the Libvpx video library. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

A vulnerability rated high (CVE-2023-5217) has been found in the code for the VP8 video format in Libvpx. This library is used in the Chromium and Firefox web browsers. A remote attacker could potentially exploit heap corruption via a crafted HTML page. Google and Mozilla report that this vulnerability is being used in the wild.

Mitigation

• OS 11: If feasible, use Firefox as your web browser and add the following custom command to System > Firmware Customization > Custom Commands > Base > Initialization in order to filter out media that could be used for an attack:

FFPREFS=/services/fbrw/bin/firefox_preferences

cp -v $FFPREFS ${FFPREFS}_bin

cat > $FFPREFS <<"EOF"

#!/bin/bash

/services/fbrw/bin/firefox_preferences_bin "$@"

echo 'user_pref("image.webp.enabled", false);

user_pref("media.ffvpx.enabled", false);

user_pref("media.ffvpx.mp3.enabled", false);

user_pref("media.ffvpx.opus.enabled", false);

user_pref("media.ffvpx.vorbis.enabled", false);

user_pref("media.ffvpx.wav.enabled", false);' >> ~user/.mozilla/firefox/browser0/user.js

EOF

Update Instructions

• OS 12: IGEL is preparing an updated Chromium app for OS 12.
• OS 11: Update to IGEL OS 11.09.110 or newer.

References

• CVE-2023-5217: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217