Recently, security researchers have discovered a critical vulnerability in the LIVE555 Streaming Media Library.
Live Networks LIVE555 streaming media is vulnerable to cyber attacks
The LIVE555 Streaming Media Library is used by many widely-used media players such as VLC, MPlayer and embedded devices capable of streaming media.
LIVE555 Streaming Media is a set of open source (LGPL) C++ libraries developed by Live Networks, Inc. LIVE555 streaming media is used to stream multimedia over open standard protocols like RTP/RTCP, RTSP or SIP. The libraries support streaming, receiving and processing of various video formats including MPEG, H.265, H.264, H.263+, VP8, DV and JPEG video and audio formats such as MPEG, AAC, AMR, AC-3, and Vorbis.
The LIVE555 library is users by popular and widely-used applications and media software such as VLC, and MPlayer, as well as a multitude of embedded devices (mainly cameras).
LIVE555 Streaming Media is a set of open-source C++ libraries developed by Live Networks Inc. for multimedia streaming. The libraries support open standards such as RTP/RTCP and RTSP for streaming, and can also manage video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis. It is used internally by well-known software such as VLC and MPlayer.
The vulnerable libraries exposed millions of VLC and MPlayer users to cyber attacks.
The code execution vulnerability tracked as CVE-2018-4013
The vulnerability in the LIVE555 streaming media library can be tracked as CVE-2018-4013, resides in the HTTP packet-parsing functionality of the LIVE555 RTSP.
The flaw was discovered by a security researcher Lilith Wyatt of Cisco Talos Intelligence Group.
The vulnerability exists in the function that parses HTTP headers for tunneling RTSP over HTTP. An attacker may create a packet containing multiple “Accept:” or “x-sessioncookie” strings which could cause a stack buffer overflow in the function “lookForHeader.”
The vulnerability was confirmed in Live Networks LIVE555 Media server version 0.92. However, it also could have appeared in the present and the earlier version of the streaming media library.
The vulnerability was patched by Live Networks
The critical security flaw was reported to Live Networks on October 10 and publicly disclosed on October 18. The Security patch was released on October 17.