WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.
Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.
Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.
Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.
CVE-2022-36934 – Integer Overflow Bug
An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.
An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation.
This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”
Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.
According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v220.127.116.11, Business for Android prior to v18.104.22.168, iOS prior to v22.214.171.124, Business for iOS prior to v126.96.36.199 could result in remote code execution in an established video call.”
CVE-2022-27492 – Integer Underflow Bug
An Integer Underflow vulnerability (CVE-2022-27492) allows attackers to execute the arbitrary code remotely, and user interaction is required to exploit this bug successfully.
“Integer underflow” is sometimes used to identify signedness errors in which an originally positive number becomes negative as a result of subtraction. However, there are cases of bad subtraction in which unsigned integers are involved, so it’s not always a signedness issue.
This issue affects an unknown code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability.
According to the WhatsApp advisory “An integer underflow in WhatsApp for Android prior to v188.8.131.52, WhatsApp for iOS v184.108.40.206 could have caused remote code execution when receiving a crafted video file.”
To exploit this vulnerability, attackers drop a crafted video file on the user’s WhatsApp messenger. The successful execution with the help of user interaction let hackers gain complete access to the messenger and steal sensitive data from your mobile device.
Whatsapp fixed the bugs and released a security advisory for 2 vulnerabilities that affects both Android & iOS version of Following:
- Android prior to v220.127.116.11
- Business for Android prior to v18.104.22.168
- iOS prior to v22.214.171.124
- Business for iOS prior to v126.96.36.199
- Android prior to v188.8.131.52
- iOS v184.108.40.206
So far, no technical details are available for these critical WhatsApp Vulnerabilities, and an exploit is not available at this moment. As 0-day the estimated underground price was around $5k-$25k per vulnerability.
A spokesperson from WhatsApp told GBHackers that there is no evidence found for these vulnerabilities that have been exploited.
“WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistently with industry best practices. In this instance, there is no reason to believe users were impacted.”
Users are advised to update the latest version of WhatsApp Messenger to prevent your devices from these critical RCE bugs.