libwebp security vulnerability and computational scientists
Recently, a major security vulnerability (CVE-2023-5129) has been
found in libwebp, an image decoding library for the .webp format.
This is major, since this library is embedded in many apps and web
browsers and allows remote code execution just by opening a file. For
computational scientists, there is still some impact - and it’s harder
to compensate for. In short, just by processing an image in the .webp
format, someone can take over your computer or session.
libwebp is the current issue, but the problem is general:
computational scientists often create software environments and use
them for a long
time. These environments aren’t usually browsing the web (the most
likely attack vector here), but they do involve lots of code installed
from different projects. How does one manage security in this case?
This post may be updated
How it affects scientists
If you use web browsers or apps on your own desktops, laptops, phones, etc. - make sure update them!
If you don’t use images in your research, there probably isn’t much impact.
If you do, this is what could happen:
You make a Python / Anaconda environment which uses libwebp somehow - directly installed through Conda, or some other application.
You download a dataset containing images. You process them as part of your research with the old environment.
The malicious image runs an exploit. It has access to your whole user account on that computer: extract any data, add SSH keys for remote access, corrupt/delete data (which might not be backed up from the cluster…).
Many things have to happen here, but it’s very possible for it to happen. You could lose access to non-backed up data or code or other confidential or sensitive data could be compromised, since code from one project from your user account has access to all projects from your account.
One would normally fix things by updating software. But when you are dealing with a research environment that can’t easily be updated, what should you do? This is the real question here.
What to do
It’s a multi-layered problem, and the answer will depend on your work. libwebp is what we are thinking about now, but the problem is general: there are other security problems that occasionally come up that can affect more scientific code. How do you prepare for next time?
Update your environments (conda, virtualenv, etc). You could try to see if
libwebpis inside of them (conda list | grep webp), but especially for Pip packages it might not be apparent.Make your environments reproducible: If you define your dependencies in
requirements.txt(Python),environment.yml(conda), or whatever is suitable for your language, you can easily re-generate environments to bring everything up to date. (delete old one, re-create).If you pin versions of dependencies (like
numpy==1.20.0), it’s possible it can pull in older versions of other dependencies.Containerize your workflows. If code runs inside of a container, it keeps it isolated from the rest of the operating system and user account. (but containers aren’t usually designed for strict security, but it’s better than nothing).
If you use pre-built modules on the cluster, try not to use old versions. We’ll update some recent modules, but we can’t update all of the old ones. At least
webpis in the defaultanacondamodules.If you write or maintain software in general, keep it up to date as much as reasonable! Don’t make others get into a place where they are having to use old versions of libraries to make it work.
In general, think about your dependencies. Be at least a little bit suspicious before you install random other software, that may possibly pull in lots of other dependencies. Of course, as a researcher, you may not have much choice.
Updating your environments
These commands seem to be able to update an environment to a newer
libwebp. It seems to work on newer environments, but we don’t know
for sure. Instead of mamba, conda in theory works but is to
slow it may not be practical:
$ mamba env export > environment.,yml
$ perl -i -pe 's/(libwebp(-base)?)=.*$/\1=1.3.2/g' environment.yml
$ mamba env update -f environment.yml
Summary
There is a major security vulnerability in libwebp. While the
impact on computational scientists may not be that much, a bigger
issue is the difficulty of keeping all of the environments up to date
so that next time this happens, it’s easier to respond.
We hope to have more security recommendations for computational scientists in the future. If anyone is interested in collaborating on this, let us know.
Aside: What’s affected?
Common apps which embed Chrome or libwebp: Chrome, Firefox, VSCode, Zulip, Slack, Discord… things that use Electron to embed a web browser are affected, and that’s many things.