WhatsApp has addressed two severe Remote Code Execution vulnerabilities affecting the mobile version of the software.
WhatsApp has published three security advisories for 2022, two of which are related to CVE-2021-24042 and CVE-2021-24043 vulnerabilities discovered in January and February, and the third one is related to CVE-2022-36934 and CVE-2022-27492 fixed by the company in September.
The CVE-2022-36934 (CVSS score 9.8) flaw is an integer overflow in the app for Android that impacts versions prior to v220.127.116.11, Business for Android prior to v18.104.22.168, iOS prior to v22.214.171.124, Business for iOS prior to v126.96.36.199. An attacker can exploit the flaw to achieve remote code execution in an established video call.
“This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.” reads a post published by MalwareBytes.
The CVE-2022-27492 (CVSS score 7.8) is an integer underflow in WhatsApp for Android, it impacts versions prior to v188.8.131.52, WhatsApp for iOS v184.108.40.206. An attacker can gain remote code execution by sending to the victims a crafted video file.
“This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.” states MalwareBytes.
(SecurityAffairs – hacking, RCE)