PSIRTCVE-2023-4863 - Heap overflow in Chrome/libwebp
Summary
Fortinet Product Security team has evaluated the impact of the vulnerablity affecting Google Chrome library listed below:
CVE-2023-4863: severity HIGH
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
FortiClient and FortiClientEMS applications have embedded Chrome browser (for SAML authentication and administrative console application.)
FortiSOAR is using Chrome to render reports on the backend.
Libwepb is the library which renders ".webp" images into chrome browser.
When a malicious image is displayed in chrome (with data overflow), program execution might be modified by the attacker.
The attacker will need to escape google chrome sandboxing environment to perform additional damages.
Affected Products
FortiSOAR on-premise 7.6 all versions are not affectedFortiSOAR on-premise 7.5 all versions are not affected
FortiSOAR on-premise version 7.4.0
FortiSOAR on-premise version 7.3.0 through 7.3.1
FortiSOAR on-premise version 7.2.0 through 7.2.1
FortiSOAR on-premise 7.0 all versions
FortiSOAR on-premise 6.4 all versions
FortiClientWindows 7.4 all versions are not affected
FortiClientWindows version 7.2.0 through 7.2.2
FortiClientWindows version 7.0.0 through 7.0.10
FortiClientWindows 6.4 all versions
FortiClientMac 7.4 all versions are not affected
FortiClientMac version 7.2.0 through 7.2.4
FortiClientMac 7.0 all versions
FortiClientMac 6.4 all versions
FortiClientLinux 7.4 all versions are not affected
FortiClientLinux version 7.2.0 through 7.2.4
FortiClientLinux 7.0 all versions
FortiClientLinux 6.4 all versions
FortiClientEMS 7.4 all versions are not affected
FortiClientEMS version 7.2.0 through 7.2.1
FortiClientEMS version 7.0.0 through 7.0.10
FortiClientEMS 6.4 all versions
Solutions
Please upgrade to FortiClientWindows version 7.2.3 or above
Please upgrade to FortiClientWindows version 7.0.10 or above
Please upgrade to FortiClientLinux version 7.4.0 or above
Please upgrade to FortiClientLinux version 7.2.5 or above
Please upgrade to FortiClientMac version 7.4.0 or above
Please upgrade to FortiClientMac version 7.2.5 or above
Please upgrade to FortiClientEMS version 7.2.2 or above
Please upgrade to FortiClientEMS version 7.0.10 or above
Please upgrade to FortiSOAR version 7.4.1 Security Patch 3 or above
Please upgrade to FortiSOAR version 7.3.2 Security Patch 4 or above
Please upgrade to FortiSOAR version 7.2.2 Security Patch 9 or above