Secure Phone App Library Highly Vulnerable

secure-phone-app-library-highly-vulnerablePeople who are using a different telephone apps on their cell phones need to be cautious, as a researcher has indicated vulnerabilities related to ZRTPCCP which is a huge security library. For this reason they need to get their security systems upgraded.

Mark Dowd who is a researcher at Azimuth security has gone on to identify a variety of different bugs including information leakage, stack overflows and a number of remote heap overflows. The flaw is basically present in GNU ZRTPCCP library. The SilentCircle application along with the library is utilized in CsipSimple, IPhone, Ostel Clients, Twinkle and anything that uses GNU ccRTP with enabled ZRTP.

 The ZRTP protocol which has been designed by Zimmerman is utilized as GNU secured Telephony stack in the library. It utilizes an RTP session for the purpose of establishing an authenticated session which is cryptographically protected.

One of the vulnerabilities was found in the function which is Zrtp::storeMsgTemp(). It can be remotely crashed by sending in some over-sized packet which leads to the arbitrary code execution sent to the vulnerable host.

The other vulnerability which was found to exist was a variety of different function which can be easily crashed through remote heat overflow. Dowd is however unsure that whether it has given rise to any exploitable condition.

The last vulnerability that was found is the failure of the library to ascertain that the size of the packet is as expected. This can lead towards leakage of information and data reading which is out of boundaries and ultimately results in a crash.

However there is good news that an update has been made to the library via githhub along with a SilentCircle update which has been made available on the Play Store and the App store for both Android and Apple users.

Related Posts