Is Nexthink affected by the vulnerabilities in libwebp and libvpx?

Question

Answer

No, Nexthink is not impacted. We have performed reviews of our source code, Software Composition Analysis reports, and Software Bill of Materials (SBOMs), and have confirmed that the libwebp and libvpx libraries are not used or included in the Nexthink Experience and Infinity cloud platform, nor the client-side components (Collector etc). The platform does allow Nexthink users to upload images in certain formats, but not WebP.

Background

Heap overflow vulnerabilities were discovered in libwebp and libvpx, and reported with a CVSS score of 8.8 (high severity). They are now actively exploited in the wild. Parsing a malicious WebP image with libwebp or a malicious VP8 video stream with libvpx, can cause an application to crash. In the case of libwebp, this can also result in Remote Code Execution.

Related CVEs:

CVE-2023-41064: Apple published their own vulnerability for ImageIO on September 7th. This one was used in the BLASTPASS attack.
CVE-2023-4863: The initial vulnerability in libwebp was published on September 12th, one day after Chrome was patched.
CVE-2023-5129: This duplicate was created on September 25th to highlight that the impact was not only on Chrome.
CVE-2023-5217: A similar vulnerability in libvpx was published on September 28th.

How is Nexthink protecting its products against vulnerabilities like this?

We use Software Composition Analysis tools to alert developers of patches to their code dependencies as soon as they become available. As part of the quality checks in place to ensure that code changes can be released, we also verify that the available patches were applied.

We scan the Nexthink corporate network and supply chain for missing patches to OS libraries as well as browsers and other applications.

Nexthink has achieved various security and privacy certifications for the cloud platform.

Last updated 4 months ago