CVE-2019-3568 : A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTC

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Published 2019-05-14 20:29:03

Updated 2019-08-13 21:15:12

Source Facebook, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

CVE-2019-3568 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

WhatsApp VOIP Stack Buffer Overflow Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

Added on 2022-04-19 Action due date 2022-05-10

Exploit prediction scoring system (EPSS) score for CVE-2019-3568

Probability of exploitation activity in the next 30 days: 2.52%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 89 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-3568

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-3568

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)
CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Assigned by: cve-assign@fb.com (Secondary)

References for CVE-2019-3568

https://www.facebook.com/security/advisories/cve-2019-3568

Facebook
Third Party Advisory
http://www.securityfocus.com/bid/108329

WhatsApp CVE-2019-3568 Remote Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry

Products affected by CVE-2019-3568