The bug, which has been patched in newer versions of the app, would let an attacker execute malicious code after sending a specially crafted video call
WhatsApp has published details of a “critical” vulnerability that has been patched in a newer version of the app but could still affect older installations that have not been updated.
Details were disclosed in a September update of WhatsApp’s page on security advisories affecting the app and came to light on September 23rd.
The critical bug would allow an attacker to exploit a code error known as an integer overflow, letting them execute their own code on a victim’s smartphone after sending a specially crafted video call. Remote code execution vulnerabilities are a key step in installing malware, spyware, or other malicious applications on a target system, as they give attackers a foot in the door that can be used to further compromise the machine using techniques like privilege escalation attacks.
The recently disclosed vulnerability has been assigned the identification number CVE-2022-36934 in the national vulnerability database and given a severity score of 9.8 out of 10 on the CVE scale. This equates to the highest possible threat level: “critical.”
In the same security advisory update, WhatsApp also shared details of another vulnerability — CVE-2022-27492 — that would let attackers execute code after sending a malicious video file. This vulnerability was scored 7.8 out of 10, or a severity level of “high.”
Both of these vulnerabilities are patched in recently updated versions of WhatsApp and should already be fixed in any installation of the app that is set to automatically update (the default setting on most phones). According to the security advisory, the vulnerabilities affect:
- WhatsApp for Android prior to v220.127.116.11
- WhatsApp Business for Android prior to v18.104.22.168
- WhatsApp for iOS prior to v22.214.171.124
- WhatsApp Business for iOS prior to v126.96.36.199
Besides protecting against possible hacking exploits, there are more reasons to keep your WhatsApp installation updated. On Monday, the company announced that it was rolling out a new feature that will let users share a one-click link to join a group call and also testing the implementation of 32-person encrypted video chats.
WhatsApp Security Advisories
An integer overflow in WhatsApp for Android prior to v188.8.131.52, Business for Android prior to v184.108.40.206, iOS prior to v220.127.116.11, Business for iOS prior to v18.104.22.168 could result in remote code execution in an established video call.
An integer underflow in WhatsApp for Android prior to v22.214.171.124, WhatsApp for iOS v126.96.36.199 could have caused remote code execution when receiving a crafted video file.
A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v188.8.131.52, WhatsApp Business for Android v184.108.40.206, WhatsApp for iOS v220.127.116.11, WhatsApp Business for iOS 18.104.22.168, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.
The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.