Disclosed information about the critical
(CVE-2019-3568) in the WhatsApp mobile app that allows you to get your code executed by sending a specially crafted voice call. For a successful attack, a response to a malicious call is not required; a call is enough. At the same time, such a call often does not end up in the call log, and the attack may go unnoticed by the user.
The vulnerability is not related to the Signal protocol, but is caused by a buffer overflow in the WhatsApp-specific VoIP stack. The problem can be exploited by sending a specially crafted series of SRTCP packets to the victim's device. The vulnerability manifests itself in WhatsApp for Android (fixed in 2.19.134), WhatsApp Business for Android (fixed in 2.19.44), WhatsApp for iOS (2.19.51), WhatsApp Business for iOS (2.19.51), WhatsApp for Windows Phone ( 2.18.348) and WhatsApp for Tizen (2.18.15).
It is interesting that in the last year The WhatsApp and Facetime Zero project drew attention to a bug that allows control messages associated with a voice call to be sent and processed at a stage before the user accepts the call. WhatsApp was recommended to remove this feature, and it was shown that sending such messages during a fuzzing test causes the application to crash, i.e. As early as last year, it was known that there were potential vulnerabilities in the code.
After identifying the first traces of compromised devices on Friday, Facebook engineers began to develop a method of protection, on Sunday they secured a loophole at the server infrastructure level by a workaround, and on Monday began distributing an update with a fix for the client software. It is not yet clear how many devices were attacked using the vulnerability. All that is reported is an unsuccessful attempt on Sunday to compromise the smartphone of one of the human rights activists using a method reminiscent of NSO Group technology, as well as an attempt to attack the smartphone of an employee of the human rights organization Amnesty International.
The problem was not publicized Israeli company NSO Group, which was able to use the vulnerability to organize the installation of spyware on smartphones to ensure surveillance by law enforcement agencies. NSO stated that it verifies customers very carefully (cooperates only with law enforcement and intelligence agencies) and investigates all complaints of abuse. Including now initiated proceedings related to recorded attacks on WhatsApp.
NSO denies involvement in specific attacks and only claims to be developing technology for intelligence agencies, but the victim human rights activist intends to prove in court that the company shares responsibility with customers abusing the software provided to them, and sold its products to services known for their human rights violations.
Facebook launched an investigation into the possible compromise of the devices and last week privately shared the first results with the US Department of Justice, as well as notified several human rights organizations about the problem to coordinate public awareness (there are about 1.5 billion WhatsApp installations worldwide).
Source: opennet.ru