WhatsApp Vulnerability Allow MP4 File Code Execution


In WhatsApp a security vulnerability introduced last week could be exploited in order to remotely execute arbitrary code on affected phones.

The issue is a stacked buffer overflow, which can be triggered by sending a specially created MP4 file via WhatsApp, which is monitored as CVE-2019-11931, Facebook explains in an advisory.

The buffer overflow happens when an application searches the basic stream of MP4 file metadata. A security flaw could be exploited by an attacker to cause a service denial (DoS) or to execute code remotely.

The vulnerability might be exploited by sending a configured MP4 file to execute code after malicious applications have been opened.

Facebook states in its advisory that WhatsApp’s consumer and business versions were affected.

The bug has been caused primarily by versions of Android prior to 2.19.274, Business for Android prior to 2.19.104, iOS before 2.19.100, iOS before 2.19.100, Enterprise Server before 2.25.3 and Windows Phone before 2.18.368.

Facebook issued already updates addressing the vulnerability, but did not provide technical information on the vulnerability. Nevertheless, it appears that proof of concept code has been posted on GitHub.

Few reports on the security issue exploited in attacks have emerged to date, but vulnerability has been public for nearly 1400 reporters, diplomats, dissidents and human rights activists worldwide just weeks after WhatsApp sues the Israel technology company NSO Group. You may use the following free web scanning tool to know the issue directly.

Another remote software execution was posted on Facebook in early October by the WhatsApp, called CVE-2019-11932. The problem was found in the libpl droidsonroids gif.so open source library, which is used by WhatsApp to build previews of GIF files.

The bug might have been used to trigger a DoS state, enhanced permissions, remote execution of arbitrary code (RCE), or sensitive user data access.

In late October, Facebook also published the CVE-2019-11933 warning, which could result in a Heap buffer overflow before 1.2.19 on libpl droidsonroids gif in WhatsApp for Android until version 2.19.291.

SecurityWeek has contacted Facebook to ask if they know about CVE-2019-11931 attacks and updates this report once the company responds.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.