A vulnerability was found in Facebook WhatsApp Messenger on Android/iOS/Windows Phone/Tizen (Messaging Software) (affected version not known) and classified as critical. Affected by this issue is some unknown processing of the component VoIP Stack. The manipulation as part of a SRTCP Packet leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. Impacted is confidentiality, integrity, and availability.

The bug was discovered 05/13/2019. The weakness was disclosed 05/13/2019 with Facebook as CVE-2019-3568 as confirmed advisory (Facebook). The advisory is shared for download at facebook.com. The public release has been coordinated in cooperation with the vendor. This vulnerability is handled as CVE-2019-3568 since 01/02/2019. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The current price for an exploit might be approx. USD $5k-$25k (estimation calculated on 06/13/2020). This vulnerability has a historic impact due to its background and reception. The advisory points out:

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

It is declared as highly functional. As 0-day the estimated underground price was around $25k-$100k.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

nytimes.com is providing further details.

Productinfoedit

Type

• Messaging Software

Vendor

• Facebook

Name

• WhatsApp Messenger

CPE 2.3infoedit

• 🔍

CPE 2.2infoedit

• 🔍

CVSSv3infoedit

CVSSv2infoedit

Exploitinginfoedit

Threat Intelligenceinfoedit

Countermeasuresinfoedit

Timelineinfoedit

Sourcesinfoedit

Entryinfoedit

Comments