Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Executive summary

The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Webkit WebSocket code execution vulnerability (TALOS-2020-1155/CVE-2020-13543)

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a web page to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Webkit ImageDecoderGStreamer use-after-free vulnerability (TALOS-2020-1195/CVE-2020-13584)

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Versions tested

Talos tested and confirmed that Webkit WebKitGTK, version 2.30.0, is affected by TALOS-2020-1155. TALOS-2020-1172 and TALOS-2020-1195 affect version 2.30.1.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 55844, 55845, 56126, 56127, 56379 - 56382