WhatsApp discloses critical vulnerability in older app versionsWhatsApp discloses critical vulnerability in older app versionsWhatsApp discloses critical vulnerability in older app versions

The bug, which has been patched in newer versions of the app, would let an attacker execute malicious code after sending a specially crafted video call

WhatsApp has published details of a “critical” vulnerability that has been patched in a newer version of the app but could still affect older installations that have not been updated.

Details were disclosed in a September update of WhatsApp’s page on security advisories affecting the app and came to light on September 23rd.

The critical bug would allow an attacker to exploit a code error known as an integer overflow, letting them execute their own code on a victim’s smartphone after sending a specially crafted video call. Remote code execution vulnerabilities are a key step in installing malware, spyware, or other malicious applications on a target system, as they give attackers a foot in the door that can be used to further compromise the machine using techniques like privilege escalation attacks.

The recently disclosed vulnerability has been assigned the identification number CVE-2022-36934 in the national vulnerability database and given a severity score of 9.8 out of 10 on the CVE scale. This equates to the highest possible threat level: “critical.”

In the same security advisory update, WhatsApp also shared details of another vulnerability — CVE-2022-27492 — that would let attackers execute code after sending a malicious video file. This vulnerability was scored 7.8 out of 10, or a severity level of “high.”

Both of these vulnerabilities are patched in recently updated versions of WhatsApp and should already be fixed in any installation of the app that is set to automatically update (the default setting on most phones). According to the security advisory, the vulnerabilities affect:

  • WhatsApp for Android prior to v2.22.16.12
  • WhatsApp Business for Android prior to v2.22.16.12
  • WhatsApp for iOS prior to v2.22.16.12
  • WhatsApp Business for iOS prior to v2.22.16.12

Besides protecting against possible hacking exploits, there are more reasons to keep your WhatsApp installation updated. On Monday, the company announced that it was rolling out a new feature that will let users share a one-click link to join a group call and also testing the implementation of 32-person encrypted video chats.

WhatsApp Security Advisories

2022 Updates

September Update

CVE-2022-36934

An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.

CVE-2022-27492

An integer underflow in WhatsApp for Android prior to v2.22.16.2, WhatsApp for iOS v2.22.15.9 could have caused remote code execution when receiving a crafted video file.


February Update

CVE-2021-24043

A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.


January Update

CVE-2021-24042

The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.

Leave a Reply

Your email address will not be published. Required fields are marked *

DigitalOcean Referral Badge