A serious code execution vulnerability detected in Streaming Media library

by Gabriel E. Hall - -

Recently, security researchers have discovered a critical vulnerability in the LIVE555 Streaming Media Library.[1]

Serious code execution

Live Networks LIVE555 streaming media is vulnerable to cyber attacks

The LIVE555 Streaming Media Library is used by many widely-used media players such as VLC, MPlayer and embedded devices capable of streaming media.

LIVE555 Streaming Media is a set of open source (LGPL) C++ libraries developed by Live Networks, Inc. LIVE555 streaming media is used to stream multimedia over open standard protocols like RTP/RTCP, RTSP or SIP. The libraries support streaming, receiving and processing of various video formats including MPEG, H.265, H.264, H.263+, VP8, DV and JPEG video and audio formats such as MPEG, AAC, AMR, AC-3, and Vorbis.[2]

The LIVE555 library is users by popular and widely-used applications and media software such as VLC, and MPlayer, as well as a multitude of embedded devices (mainly cameras).

LIVE555 Streaming Media is a set of open-source C++ libraries developed by Live Networks Inc. for multimedia streaming. The libraries support open standards such as RTP/RTCP and RTSP for streaming, and can also manage video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis. It is used internally by well-known software such as VLC and MPlayer.

The vulnerable libraries exposed millions of VLC and MPlayer users to cyber attacks.

The code execution vulnerability tracked as CVE-2018-4013

The vulnerability in the LIVE555 streaming media library can be tracked as CVE-2018-4013, resides in the HTTP packet-parsing functionality of the LIVE555 RTSP.

The flaw was discovered by a security researcher Lilith Wyatt of Cisco Talos Intelligence Group.

The vulnerability exists in the function that parses HTTP headers for tunneling RTSP over HTTP. An attacker may create a packet containing multiple “Accept:” or “x-sessioncookie” strings which could cause a stack buffer overflow in the function “lookForHeader.”

The vulnerability was confirmed in Live Networks LIVE555 Media server version 0.92. However, it also could have appeared in the present and the earlier version of the streaming media library.

The vulnerability was patched by Live Networks

The critical security flaw was reported to Live Networks on October 10 and publicly disclosed on October 18. The Security patch was released on October 17. [3]

About the author

Gabriel E. Hall
Gabriel E. Hall - Antivirus software specialist

Gabriel E. Hall is an antivirus software specialist at Reviewedbypro.com.

Contact Gabriel E. Hall
About the company Esolutions

References



Ask
now online
news
Subscribe
Privacy
Security
Recovery
Utilities
Like us on Facebook