New WhatsApp vulnerability allows remote command execution using a crafted MP4 file

Update your client ASAP!

In October, a double-free vulnerability was disclosed in WhatsApp messenger: this flaw could be triggered through the sending of a crafted .GIF file and, if exploited, could result in the remote execution of code.
The vulnerability was patched in WhatsApp version 2.19.244.

Recently, Facebook has disclosed a new severe remote code execution vulnerability in WhatsApp related to multimedia attachments.

The bug (CVE-2019-11931 [2]) is a stack-based buffer overflow which can be triggered by sending a crafted .MP4 [3] video files to victims, and can lead to denial-of-service or remote code execution attacks.

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.

Currently there does not appear to be any reports of the vulnerability being actively exploited in the wild, and Facebook doesn’t specify whether any user interaction is required for exploitation: however my suggestion is to update your device as soon as possible, especially if your WhatsApp is configured to automatically download multimedia files.


Which versions are vulnerable?

According with official advisory [1]:

  • Android versions prior to 2.19.274
  • iOS versions prior to 2.19.100
  • Enterprise Client versions prior to 2.25.3
  • Windows Phone versions before and including 2.18.368
  • Business for Android versions prior to 2.19.104, and
  • Business for iOS versions prior to 2.19.100.

References

  1. CVE-2019-11931 on Facebook.com
  2. CVE-2019-11931 on Mitre.org
  3. CVE-2019-11931 – PoC

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.