AL2021_11 WhatsApp Security Update (14th April 2021)

Description

On 14th April 2021, WhatsApp addressed two security vulnerabilities in its Android messaging app that could have been exploited to execute malicious code remotely on the device and even potentially eavesdrop on communication.

Summary

 The vulnerabilities are aimed at devices running Android 9 and older. Attackers are granted the privilege of conducting “Man-in-the-disk” attacks which is usually possible when mobile applications improperly managed External storage is shared across all applications on the device. This attack is stemmed from the ability of the attacker being able to compromise an application by manipulating data being exchanged between the application and the external storage.

How it works

The CVE-2021-24027 flaw stems from the implementation of content provider in the Chrome browser, which functions as the inter process communication (IPC) mechanism that is used by application to share resources with other applications, and a same-origin policy bypass in the browser (CVE-2020-6516). The attack is triggered by sending a specially crafted HTML file to the victim via WhatsApp, which once opened by the victim’s browser, executes the malicious code contained in the HTML file. The malicious code can also grant the attacker access to data stored in the external storage. This attack could also be exploited to access data stored by WhatsApp, including TLS session keys which are found in a sub directory. By obtaining the session keys, threat actors can perform a man-in-the-middle attack to achieve remote code execution or even withdraw the noise protocol key pairs that are implemented for end-to-end encryption of user communications.

Solution

Users are recommended to ensure WhatsApp version 2.21.4.18 or greater are used on the Android platform, since previous versions are vulnerable to the aforementioned bugs and may allow for remote user access monitoring.  For more information, follow the URL:

https://www.whatsapp.com/security/advisories/2021/

The Guyana National CIRT recommends that users and administrators review this alert and apply the updates where necessary.

References

  •  WhatsApp Security Advisories (April 2021) Retrieved from WhatsApp Advisories
      https://www.whatsapp.com/security/advisories/2021/
  • R. Lakshmanan (14th  April 2021) New WhatsApp Bugs Could've Let Attackers Hack Your Phone Remotely. Retrieved from The Hackers News.

          https://thehackernews.com/2021/04/new-whatsapp-bug-couldve-let-attackers.html

  • C.Karamitas (14th April 2021) Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027). Retrieved from Census Labs

          https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/