WhatsApp Fixed Critical Vulnerabilities that Could Let an Attacker Hack Devices Remotely – Automatically Discover and Remediate Using VMDR Mobile

WhatsApp has recently fixed critical and high-severity vulnerabilities affecting WhatsApp for Android, WhatsApp Business for Android, WhatsApp for iOS, and WhatsApp Business for iOS. Exploiting these vulnerabilities would be the first step of an attacker installing any malware on the device. In 2019 for example, the Israeli spyware maker NSO Group exploited an audio calling flaw to inject the Pegasus spyware.

WhatsApp Remote Code Execution (RCE) Vulnerabilities 

WhatsApp released a patch to fix the remote code execution (RCE) critical vulnerability, CVE-2022-36934. This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching. An integer overflow in WhatsApp could result in RCE in an established video call. It affects assets running:

  • WhatsApp for Android prior to v2.22.16.12 
  • WhatsApp Business for Android prior to v2.22.16.12 
  • WhatsApp for iOS prior to v2.22.16.12 
  • WhatsApp Business for iOS prior to v2.22.16.12 

WhatsApp released a patch to fix another RCE critical vulnerability, CVE-2022-27492. This vulnerability has a CVSSv3 base score of 7.8 and should be prioritized for patching. Integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. It affects assets running WhatsApp for Android v2.22.16.2 and WhatsApp for iOS v2.22.15.9. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.

These latest vulnerabilities are also affecting the WhatsApp Business app. If you are using it in your organization, it should be a critical fix to prioritize. Successful exploitation of these vulnerabilities would lead to remote code execution and let attackers install malware on the impacted devices. Here’s how to minimize the risk. First, you need to identify the affected assets. Then, update the application to the updated, secure version.

Identification of Assets with WhatsApp Vulnerabilities using Qualys VMDR Mobile

Identifying the affected assets is the first step in managing critical vulnerabilities and reducing risk. Qualys VMDR Mobile makes it easy for existing Qualys customers to identify assets running WhatsApp that contain these flaws. To get comprehensive visibility of the mobile devices, you need to install Qualys Cloud Agent for Android or iOS on all mobile devices. The device onboarding process is easy, and taking an inventory of all affected mobile devices is free.

To get the list of assets that are not updated to v2.22.16.12, run the following Qualys Query Language (QQL) string in the Asset dropdown menu of the Inventory tab.

QQL: Asset- application.name:whatsapp and application: ( not version:v2.22.16.12) and asset.status:Enrolled

Qualys VMDR Mobile isolates all assets with the WhatsApp app installed

Discover WhatsApp Vulnerabilities CVE-2022-36934 & CVE-2022-27492

Now you have the list of assets running WhatsApp with the impacted version. Next, you want the list of assets with the latest WhatsApp vulnerabilities. VMDR Mobile automatically detects the new vulnerabilities based on our continuously updated Qualys Knowledgebase.

To see all detections, navigate to the Vulnerability tab, add and run the following QQL in the Vulnerability dropdown:

QQL: vulnerabilities.vulnerability.qid:630827

Qualys VMDR Mobile isolates all instances of WhatsApp with the RCE vulnerabilities

QID 630827 is available in signature version SEM VULNSIGS-, which is not dependent on any specific Qualys Cloud Agent version.

Using the VMDR Mobile dashboard, you can track the status of assets on which the latest WhatsApp vulnerabilities are detected. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for Android & iOS devices.

VMDR Mobile’s dashboard tracks status of asset remediation of WhatsApp vulnerabilities

Patch and Remediate WhatsApp Vulnerabilities CVE-2022-36934 & CVE-2022-27492

VMDR Mobile provides patch orchestration for Android devices that helps you rapidly remediate vulnerable Android assets. Patch orchestration helps you initiate patching the affected assets using the most relevant patch version per application.

You do not have to create multiple jobs. Just one will take care of all Whatsapp vulnerabilities.

Setting up a single patch job to update all affected WhatsApp instances

Qualys customers are encouraged to apply patches as soon as possible. For iOS assets, you can perform the “Send Message” action to inform the end user to update WhatsApp to the latest version. You may also provide step-by-step details on how users can update WhatsApp from the Apple App Store.

Get Started Now with Qualys VMDR Mobile

Qualys VMDR Mobile is available free for 30 days to help your organization detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. Try our solution today by registering for a Free Trial.

This post was first first published on Qualys Security Blog’ website by Swapnil Ahirrao. You can view it by clicking here