Last week, reports, like this one from Dark Reading, surfaced a remotely exploitable bug found in Facebook’s popular WhatsApp chat app, that spies on users and specifically targeted human rights groups. Facebook patched the flaw last week in the latest WhatsApp version 2.19.244.
At Sonatype, we emphasize knowing what’s vulnerable in your code as deployed versus what developers declare they are using. In the case of Facebook, proprietary code relied on an open source component of which embedded native C code became vulnerable. They decided to eliminate the dependency, but the episode proves that not having a grasp of the components your core code depends on can have negative consequences.Thanks to a researcher called Awakened you can avoid innocent-looking GIFs in WhatsApp stealing data and private conversations from your Android devices -- if you update to the latest version.
Malicious Memory
Facebook and WhatsApp, two “free” social media apps, represent juicy targets for malicious behavior. How the apps are built, and specifically, how they use processor memory, invites exploiting this vector.
Dark Reading’s Jai Vijayan explains:
"The bug does not exist in WhatsApp itself but rather in an open source library that the application uses to parse media files. The so-called double-free vulnerability (tracked as CVE-2019-11932) stems from how memory is allocated when GIF images are parsed in WhatsApp. A double-free vulnerability involves an app calling the same memory space on a device twice, resulting in a memory leak.”
When We Contain These Risks, Others Do, Too
Developers who unknowingly use compromised libraries pass along the risks to others. Our own DJ Schleen explains in this video.
DJ’s two recommendations:
Update as appropriate. Keep your component libraries fresh. The latest Software Supply Chain Report demonstrates newer components are less risky than older ones. But not always! This paradox brings us to the most important point...
Know what’s inside your application. Run a free scan on your app using our health check vulnerability scanner. Know what’s in your code. Know what’s deployed and not just what is declared.
Not Just Facebook and WhatsApp at Risk
As DJ points out in his video, application developers everywhere are using the same open source components. So the threat of a double-free vulnerability exploitation isn’t limited to WhatsApp or Facebook -- the threat exists for any app using the same vulnerable open source media library.
When you know the specific open source software components present in your app you can mitigate risk faster. For some, it may involve upgrading (or downgrading) to a different component. For others, it may require shifting resources so that an app doesn’t depend on a vulnerable component - as was the case with Facebook and WhatsApp.
One final note. As we do with all components, Sonatype does the deep dive research necessary to understand the context of the vulnerable code and what versions are impacted by an attack. In the case of CVE-2019-11932, we offer a deviation on the NVD advisory:
Sonatype Advisory Deviation Notice: The Sonatype security research team discovered that the vulnerability is present in version 1.1.14 until (but excluding) 1.2.18 of the libpl_droidsonroids_gif library (present in android-gif-drawable), not just before 1.2.15, as the NVD advisory states.
For developers using this component, it makes sense to pay close attention to the specific version and remediate accordingly.Technical Detail from the Data Team
The libpl_droidsonroids_gif library as present in the pl.droidsonroids.gif:android-gif-drawable Maven Central component and in WhatsApp for Android, contains a Double Free vulnerability. The DDGifSlurpfunction in decoding.c does not properly verify if a zero-sized image file is provided to the application, prior to freeing memory. A remote attacker can exploit this vulnerability by using a crafted image file which, when opened by the victim, triggers a double-free and therefore enables the attacker to execute arbitrary code or cause a Denial of Service (DoS) on the victim’s device.
NOTE: It must be noted the version range for the libpl_droidsonroids_gif library coincides with that of the pl.droidsonroids.gif:android-gif-drawable component which contains this library.
