Securing business data

Blog Item

WhatsApp Call of Doom...(or CVE-2019-3568 if you prefer...)

/>

shutterstock_611493284

As you may have heard there has been a recent discovery of a significant vulnerability within the ever popular WhatsApp messaging service. The flaw can be abused to inject malware into a users device...and to make matters worse...the flaw can be triggered without user interaction and only requires a maliciously crafted call to be made (oh...you don't even need to answer either....). 

The flaw has been reported as being a buffer overflow vulnerability whereby packets are injected into the start of a voice call, specifically WhatsApp/Facebook stated the applications VOIP stack is affected by crafting particular SRTP packets (The Secure Real-time Transport Protocol - https://tools.ietf.org/html/rfc3711 - For those that are interested and like reading RFC's and stuff...).

Once the malformed packets are received an internal buffer within WhatsApp overflows, providing access to some rather undesirable areas of memory...the rest...is down to the imagination of the attacker, reports thus far have focused around the injection of the popular mobile OS malware known as Pegasus...which even has its own Wikipedia page: https://en.wikipedia.org/wiki/Pegasus_(spyware) .

WhatsApp/Facebook have been quick to react however and some of you may have noted already the update pushed on Monday by the group, if you have not...now would be a good time to check for the update.

The vulnerability affects both personal and business versions of the application, and to quote Facebook/WhatsApp: "The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."

It is worth some discussion at this point about who was behind the attack, in short Facebook have already stated exploitation of this issue is not trivial at all and as such the suspicion would rather be that its the work of a private company working for a government agency; speculation though, and I am sure time will tell...what we have seen in the past however is that now the work/idea is out there we would be wise to expect some follow up discoveries and releases.

If you would like to know more about how you may be vulnerable to attack, why not enquire about our free Penetration Testing Training sessions CLICK HERE.

 

       
 Andy Swift - Head of Offensive Security  

Andy Swift is, Head of Offensive Security at CNS Six Degrees
and has written countless articles on information security.
He has a particular speciality in Malware and Virus Analysis. 
Andy holds Global Industrial Cyber Security Professional (GICSP) status,
certifying his expertise in ICS Security Essentials for Engineering,
Operating Technology and Cyber.
   



 
     
       
Andy Swift - Head of Offensive Security            

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere