WhatsApp RCE Vulnerabilities
WhatsApp has published three security advisories for 2022, two of which are related to CVE-2021-24042 and CVE-2021-24043 vulnerabilities discovered in January and February, and the third one is related to CVE-2022-36934 and CVE-2022-27492 fixed in September.
These versions of WhatsApp are affected by at least one of the vulnerabilities:
- WhatsApp for Android prior to v22.214.171.124
- WhatsApp Business for Android prior to v126.96.36.199
- WhatsApp for iOS prior to v188.8.131.52
- WhatsApp Business for iOS prior to v184.108.40.206
- WhatsApp for Android prior to v220.127.116.11 and WhatsApp for iOS v18.104.22.168 are affected by both.
The CVE-2022-36934 with CVSS score of 9.8 flaw is an integer overflow in the app in which an attacker can exploit the flaw to achieve remote code execution in an established video call.
This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
The CVE-2022-27492 with CVSS score of 7.8 is an integer underflow in WhatsApp for Android, in which an attacker can gain remote code execution by sending to the victims a crafted video file.
This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input led to a memory corruption vulnerability. To exploit, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.