WhatsApp’s September security update fixes two high-severity flaws that could result in remote code execution. The flaws affect WhatsApp and WhatsApp Business versions before 18.104.22.168 in iOS and Android operating systems.
To see which version is currently used:
- Open WhatsApp
- Go to Options –> Settings –> Help
- From there, click App Info and see the version.
Details of the Vulnerabilities
The critical integer overflow vulnerability, tracked as CVE-2022-36934, has a CVSS score of 9.8 and is exploited by simply participating in video calls.
When an integer is given a value too large to store in allocated memory space, this results in an integer overflow.
MalwareBytes explains, “By writing a larger value into the memory, an attacker could overwrite other parts of the system memory and abuse that ability to remotely execute code.”
The second mentioned flaw in an update, CVE-2022-27492 (CVSS score: 7.8), is an integer underflow vulnerability that occurs because the value is too small, contrary to an overflow. This could also make way for remote code execution when the user receives a specially crafted video file.
Integer overflow and underflow exploits can be used to produce unwanted behavior, such as unexpected crashes, memory corruption, and code execution.
WhatsApp did not provide more details on the flaws. However, cybersecurity company Malwarebytes reported that CVE-2022-36934 impacts the Video Call Handler component, while CVE-2022-27492 affects the Video File Handler component.
There is no proof that the flaws have been used in the wild.
Versions 22.214.171.124 and 126.96.36.199, respectively, for iOS and Android, have been released to fix the issue in Whatsapp.
Valuable Attack Vector for Threat Actors
Threat actors may find WhatsApp vulnerabilities a valuable attack vector when installing malicious software on infected devices.
Recent years have seen instances of WhatsApp zero-days infecting smartphones with malware. WhatsApp has even sued Israeli spyware company NSO Group because of infecting users’ phones.
The business that buys vulnerabilities, Zerodium, is now offering up to $1 million for WhatsApp exploits that lead to remote code execution and local privilege escalation and up to $1.5 million if the attack doesn’t involve user interaction.