Several vulnerabilities have been discovered in the in one of the core security components of several secure telephony apps, including the Silent Circle system created by Phil Zimmermann.
The vulnerabilities in the GNU ZRTPCPP library have already have been tackled in a new version of the library, while the issue has also been fixed, with update available in both the Android and Apple versions.
ZRTPCPP is a core library that employs the ZRTP protocol to launch secure sessions over a pre-existing connection.
Azimuth Security director and founder, Mark Dowd, discovered three vulnerabilities, including Remote Heap Overflow, Multiple Stack Overflows and Information Leaking/Out of Bounds Reads.
The three loopholes could enable attacker to obtain remote code execution and these bugs can be exploited by remote, unauthorised users.
The first vulnerability is a heap buffer overflow in a function that allows temporarily storing a packet, while the second flaw enables hackers to collapse a vulnerable app, with the third being a vector for obtaining access to sensitive information regarding the cryptographic operations of the protocol.