Ticket ID: 26567 Creation Date: 9/28/2023 10:36 AM Product: SiteKiosk Classic Windows Attachment: -
TicketType: Support Request Version: 9.9.6466 Language: English
Views: 2324 Last Modification Date: 11/1/2023 4:14 PM Platform:
Level: Closed

Support Request: Critical CVE-2023-5129 + CVE-2023-4863 in SiteKiosk

Description

The image library LibWebP used in a lot of applications, including all major browsers (Chrome, Edge, Firefox, ...) and a lot of other applications has a major security vulnerability that can be triggered by simply displaying a malicious image. No user interaction is required, other than surfing to a website displaying such an image.

All browser vendors have released emergency updates within 2 days of publication of the CVE.

I noticed that SiteKiosk also contains a copy of the LibWebP library located under "C:\Program Files (x86)\SiteKiosk\SiteKioskNG\libwebp.dll".

Again, this is not only a browser issue, but all applications using the LibWebP library are affected and vulnerable if the latest version of the library is not used.

With the old SiteKiosk Windows client being EOL ... will there be an emergency update for the "Final Version" to address this security vulnerability? We are in no way ready to upgrade to the new server/cloud based version.

Answer: (2)
Re: Critical CVE-2023-5129 + CVE-2023-4863 in SiteKiosk 9/28/2023 1:46 PM
Hello,

Thank you for your comment. According to the information available to us, the Chromium CEF engine used to display the web pages is not affected and the DLL you found is only responsible for copying WebP images to the clipboard via the right mouse button.

If necessary you can deactivate the context menu (>Start Page & Browser>Customize>Settings) or rename or delete the "libwebp.dll" under " "C:\Program Files (x86)\SiteKiosk\SiteKioskNG\". (in the last case only copying WebP images to the clipboard with the right mouse button does not work anymore).

However, it is also already under investigation and we are working on an update, which hopefully can be released as soon as possible. How long it takes depends on the tests (all functions must then always be tested).
In general, the risk of being attacked via a vulnerability from a website is also reduced if no free surfing is allowed, but only certain URLs can be accessed (surfing area).

Regards,
Michael Olbrich
Re: Critical CVE-2023-5129 + CVE-2023-4863 in SiteKiosk 10/4/2023 3:50 PM
Hello,

the included Chromium CEF engine from SiteKiosk Classic is affected by the webp vulnerability.

We have updated the engine which you can now download from our version history page https://www.sitekiosk.com/eu/sitekiosk-classic-windows-version-history/ or directly from https://www.sitekiosk.com/download/SiteKioskWindowsClassic_ChromiumCEF.zip. Make sure to follow the included readme file for installation instructions.

A full installer for SiteKiosk Online with the new engine and an updated dll will be available when all test for a release version are finished in some days.
Post comment
My Account
Login
Language (Tickets):