Mobile Security & Enterprise Mobility Blog

WhatsApp Buffer Overflow Vulnerability Reportedly Exploited In The Wild

A new WhatsApp vulnerability has attracted the attention of the press and security professionals around the world. Zimperium zLabs will be creating a detailed blog soon, but we wanted to provide our readers with preliminary information now.

What follows is a quick summary of the vulnerability. It has been rumored that the vulnerability was exploited by the NSO Group, but there had been no evidence supplied in the media to support this.  As such, this post will only cover the vulnerability analysis and how Zimperium can help.

Background

On May 13th, Facebook announced a vulnerability associated with all of its WhatsApp products. This vulnerability was reportedly exploited in the wild, and it was designated as CVE-2019-3568.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

CVE-2019-3568 Vulnerability

WhatsApp suffers from a buffer overflow weakness, meaning an attacker can leverage it to run malicious code on the device. Data packets can be manipulated during the start of a voice call, leading to the overflow being triggered and the attacker commandeering the application. Attackers can then deploy surveillance tools to the device to use against the target.

Description: A buffer overflow vulnerability in WhatsApp VOIP (voice over internet protocol) stack allows remote code execution via a specially-crafted series of SRTP (secure real-time transport protocol) packets sent to a target phone number.

Affected Versions:

  • WhatsApp for Android prior to v2.19.134
  • WhatsApp Business for Android prior to v2.19.44
  • WhatsApp for iOS prior to v2.19.51
  • WhatsApp Business for iOS prior to v2.19.51
  • WhatsApp for Windows Phone prior to v2.18.348
  • WhatsApp for Tizen prior to v2.18.15.

The Alleged Exploit

An exploit of the vulnerability was used in an attempted attack on the phone of a UK-based attorney on 12 May, the Financial Times reported. The lawyer, who was not identified by name, is involved in a lawsuit against Israeli firm NSO Group brought by a group of Mexican journalists, government critics and a Saudi Arabian dissident.

The reported attack involved using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software could be installed.

In a manner that brings back deja vu from Stagefright discovered by Zimperium zLabs, the call would often disappear from the device’s call log.

How Zimperium Helps Combat CVE-2019-3568 Attacks

Zimperium zIPS, powered by Zimperium’s machine learning-based engine, z9, helps protect customers by identifying at-risk devices and active threats trying to leverage the vulnerability.

Risk Profiling:
Zimperium zIPS helps identify all devices that are exposed to the WhatsApp vulnerability via the integrated z3A (advanced app analysis) capabilities.

Administrators can use z3A to find all devices that have the vulnerable versions of WhatsApp on them and establish custom policies to address the risk.

Active Threat Detection:
zLabs researchers are investigating PoC exploits that have been released, as well as creating some themselves for testing purposes.  If the exploit attempts to elevate privileges and compromise the device, z9 would detect the attack. To date, z9 has detected 100 percent of zero-day device exploits without requiring an update or suffering from the delays and limitations of cloud-based detection or legacy security architectures—something no other mobile security provider can claim.

 

We will provide more information after zLabs concludes its research and PoC creation / testing.