Infosec pros are advised to patch vulnerabilities in two major products, one that could open end users to having their communications hacked, the other that could open the network to intrusion:
–Facebook says it has issued fixes for several versions of WhatsApp — including Business versions for Android and iOS — after discovering a buffer overflow problem that could allow a remote attacker to install spyware.
According to several news reports, the Financial Times says the vulnerability has been exploited to deliver spyware made by Israel-based NSO Group and sold to governments and law enforcement agencies.
WhatsApp is used by an estimated 1.5 billion people.
–Cisco Systems says it will issue patches for a large number of routers, switches, intrusion prevention, voice and communications devices that include a special hardware component within its Secure Boot protection module. Cisco says the vulnerability could only be exploited by an attacker who has physical access to a device. However, a company called Red Balloon Security says it could also be exploited remotely (see below).
There are no workarounds at this moment.
The WhatsApp vulnerability has made headlines around the world, arguably because the application is so widely used and because users think its end to end encryption means it’s relatively secure.
In a brief description of the issue, Facebook says a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
According to SecurityWeek.com, the Financial Times says exploitation involves calling the targeted device via WhatsApp, but the victim doesn’t have to answer for the vulnerability to be triggered. Incoming calls apparently disappear from logs.
The Financial Times said one of the victims was an unnamed attorney based in the United Kingdom, who was targeted on May 12. The lawyer is involved in a lawsuit filed against NSO by individuals targeted with the company’s spyware.
A representative of WhatsApp told the news site Ars Technica that its researchers discovered the vulnerability earlier this month while making security improvements. Ars also said it was told that a “‘select number of users were targeted through this vulnerability by an advanced cyber actor. The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
Officials from several security vendors were quick to comment on the news. “The mere fact that such a vulnerability can be exploited remotely in a default configuration is extremely critical and alarming,” said Ilia Kolochenko, CEO and chief architect at ImmuniWeb. “It is an unprecedented security flaw in terms of its potential to run high-profile targeted attacks. WhatsApp is so popular that virtually everyone is a potential victim. Worse, today, access to someone’s smartphone likely provides access to much more sensitive information than access to a computer for example. The ability to track the victim in real time, to listen to a device’s microphone and read instant communications are all a golden-mine for cybercriminals.
“Rumors about such security flaws were circulating since a while already, but few people took them seriously. All corporate users of WhatsApp should urgently launch forensics on their mobile devices to verify whether they were compromised and backdoored.”
Tim Erlin, vice-president of product management and strategy at Tripwire, said “this is a troubling vulnerability for any WhatsApp users who have been relying on the app for keeping conversations private. While it’s less likely that the average citizen would be targeted with this kind of spyware, WhatsApp is used by many people for whom the privacy of their conversations is a life and death matter. No software is perfectly secure and vulnerabilities like these are going to exist. The response is what matters.”
As for the Cisco vulnerability, Red Balloon Security calls it Thrangycat. It allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The company says it also found a remote command injection vulnerability against Cisco IOS XE version 16 that allows remote code execution as root. By chaining the Thrangycat and remote command injection vulnerabilities, Red Balloon says, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.