Source: cve-assign@fb.com
A heap corruption in WhatsApp can be caused by a malformed RTP packet being sent after a call is established. The vulnerability can be used to cause denial of service. It affects WhatsApp for Android prior to v2.18.293, WhatsApp for iOS prior to v2.18.93, and WhatsApp for Windows Phone prior to v2.18.172.
WhatsApp is vulnerable to a denial-of-service (DoS) attack due to a heap corruption flaw. Attackers can trigger this vulnerability by sending a crafted malformed RTP packet after a call is established, leading to application crashes and service disruption for affected users.
Step 1: Call Establishment: The victim initiates or accepts a WhatsApp call with the attacker. Step 2: RTP Packet Injection: The attacker sends a malformed RTP packet to the victim's WhatsApp client after the call is established. This packet contains crafted data designed to trigger the vulnerability. Step 3: Packet Processing: The victim's WhatsApp client receives and attempts to process the malicious RTP packet. Step 4: Heap Corruption: Due to insufficient input validation, the client's memory management routines are tricked into corrupting the heap. This could involve overwriting metadata or other critical data structures. Step 5: Denial of Service: The heap corruption leads to a crash of the WhatsApp application, resulting in a denial of service for the victim.
The vulnerability stems from improper handling of Real-time Transport Protocol (RTP) packets within WhatsApp's audio/video call processing. Specifically, the software fails to adequately validate the size and structure of RTP packets received after a call has been established. This leads to a heap corruption when the application attempts to allocate or deallocate memory based on the malformed packet data. The root cause is likely an integer overflow or an off-by-one error in the calculations related to memory management, resulting in writing beyond allocated memory boundaries. This can overwrite critical data structures, leading to a crash and denial of service. The lack of proper bounds checking on data extracted from the RTP packet allows for the injection of malicious data that corrupts the heap.
While no specific APTs are directly linked to this vulnerability, the ease of exploitation and potential for DoS make it attractive for various threat actors. This type of vulnerability could be used in conjunction with other attacks. CISA KEV: Not Listed
Network traffic analysis: Examine network captures for unusual RTP packets, especially those with malformed headers or payloads, sent after a call is established.
Application logs: Monitor WhatsApp application logs for crash reports or error messages related to memory corruption or unexpected behavior during call processing.
Endpoint detection and response (EDR): Implement EDR solutions to detect and alert on suspicious memory access patterns or process crashes within WhatsApp.
Forensic analysis: Analyze memory dumps from affected devices for signs of heap corruption, such as overwritten data structures or corrupted pointers.
Update WhatsApp: Ensure all WhatsApp clients are updated to the latest version to patch the vulnerability. This is the primary and most effective remediation step.
Network Segmentation: If possible, segment the network to limit the impact of a successful exploit. Isolate devices running vulnerable versions of WhatsApp.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions to detect and block malicious RTP packets based on known signatures or behavioral analysis.
Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in network infrastructure and applications.
Implement a robust patch management process to ensure timely deployment of security updates.