Serious vulnerabilities found in WhatsApp, Cisco devices

Infosec pros are advised to patch vulnerabilities in two major products, one that could open end users to having their communications hacked, the other that could open the network to intrusion:

–Facebook says it has issued fixes for several versions of WhatsApp — including Business versions for Android and iOS — after discovering a buffer overflow problem that could allow a remote attacker to install spyware.

According to several news reports, the Financial Times says the vulnerability has been exploited to deliver spyware made by Israel-based NSO Group and sold to governments and law enforcement agencies.

WhatsApp is used by an estimated 1.5 billion people.

–Cisco Systems says it will issue patches for a large number of routers, switches, intrusion prevention, voice and communications devices that include a special hardware component within its Secure Boot protection module. Cisco says the vulnerability could only be exploited by an attacker who has physical access to a device. However, a company called Red Balloon Security says it could also be exploited remotely (see below).

There are no workarounds at this moment.

The WhatsApp vulnerability has made headlines around the world, arguably because the application is so widely used and because users think its end to end encryption means it’s relatively secure.

In a brief description of the issue, Facebook says a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Individuals who have installed WhatsApp outside a business environment are also urged to install the latest version of the application.

According to SecurityWeek.com, the…

Source Link