CERT-In Vulnerability Note
CIVN-2019-0181
Buffer Overflow Vulnerability in WhatsApp
Original Issue Date:November 16, 2019
Severity Rating: HIGH
Software Affected
- WhatsApp for Android prior to 2.19.274
- WhatsApp for iOS prior to 2.19.100
- WhatsApp Enterprise Client prior to 2.25.3
- WhatsApp for Windows Phone prior to 2.18.368
- WhatsApp Business for Android prior to 2.19.104
- WhatsApp Business for iOS prior to 2.19.100
Overview
A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system.
Description
A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary stream metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker.The exploitation does not require any form of authentication from the victim end and executes on downloading of malicious crafted mp4 file on victim's system.
Successful exploitation of this vulnerability could allow the remote attacker to cause Remote Code Execution (RCE) or Denial of Service (DoS) condition, which could lead to further compromise of the system.
Solution
- Upgrade to latest version of WhatsApp
Vendor Information
Facebook
https://www.facebook.com/security/advisories/cve-2019-11931
References
Facebook
https://www.facebook.com/security/advisories/cve-2019-11931
VulDB
https://vuldb.com/?id.145626
Hacker News
https://thehackernews.com/2019/11/whatsapp-hacking-vulnerability.html
CVE Name
CVE-2019-11931
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|