Skip to main content

CVE-2023-4863

CVE CVE-2023-4863
Advisory Summary libwebp code injection execution in clients running Command Client
Products or Components Command Client
Addressed in Release Command Client 2.18.0 and higher, 2.17.2 and 2.16.3
Severity Critical
Ticket SV-96

Description

A libwebp vulnerability was found that could allow a buffer overflow, that may lead to code execution, when rendering a malicious webp image.

We don’t use libwebp directly in our products, but In Command Client we integrate CefSharp 99.2.140, a Chromium based embedded browser, with statically link inside libwebp 1.2.2, affected by the issue (fixed in CefSharp 116.0.230 which includes libwebp 1.3.2).

Command Client render web pages for the following functions:

  • Integration with the Evidence Vault cloud service (since Command 2.11).
  • Rendering the info page configured for a recorder (since Command 2.13). Usually, this page contains user configurable info like emergency phone numbers and emergency procedures.
  • Integration with Searchlight Cloud service (since Command 2.15).
  • Access to the SAML identity provider endpoint (since Command 2.17).

All these functions need to be configured from Command, using the needed configuration rights, and may be used to point CefSharp to a malicious webp image.

Impact

A rogue Command Enterprise Software may be configured to inject malicious webp image in one of the functions of the description.

Affected versions of Command Client may render the image, leading access to the system where the Command Client is used, exposing its file system and allowing malicious code execution. Said access is limited to the rights of the user that launched Command Client.

Mitigations

The impact of the vulnerability may be mitigated if the network infrastructure is protected against the presence of malicious services acting as Command Enterprise Software, and the presence of man in the middle attacks.

A closed network infrastructure will be protected from attacks coming from outside, while for the ones that may arise from inside, the risk could be mitigated by using 802.1x certificates, supported in our solution, to authenticate the access to the network.

Solution

Upgrade the Command Client to release with the fix. They are available for download from the March Networks website or from the March Networks Partner Portal.

Upgrading Command Enterprise Software to at least 2.18 will automatically enforce the usage of the corresponding client release.

On our Partner Portal, customers using Command Enterprise Software 2.16 or 2.17 will find a Command Client 2.16 and 2.17 installer with the fix, that can be used to update client workstations. Server-side installers to update Command Enterprise 2.16 and 2.17 deployments are also available, to distribute Command client automatically and directly from Command enterprise.

Customers using Command Enterprise Software 2.15 and below may use any Command Client installer with the fix, since they are backward compatible and doesn’t require any update on Command Enterprise or any other service or device.

Additional Note

Some security scanners may detect a Node.js Sharp package in Command Enterprise Software affected by this vulnerability. That package is a leftover of the Web Client development environment and is not actively used in Command Enterprise Software or any of our clients, and thus it doesn’t represent a real security vulnerability. It will be removed with the next Web Client release, which can be installed separately as a Command Enterprise application.

Downloads

All of our supported software releases are also available on the March Networks Partner Portal here: https://partners.marchnetworks.com/support/command-software/command-client/

References

https://github.com/cefsharp/CefSharp/security/advisories/GHSA-j646-gj5p-p45g

Revision

December 21, 2023 – Initial public report

Disclaimer

March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability.

March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.

Sign up for our newsletter here Get the latest news and information on our IP video products with March Networks News. Subscribe now
Return to top