CVE-2019-7732 in Live555
Summary
by MITRE
In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/09/2023
The vulnerability identified as CVE-2019-7732 resides within the Live555 streaming media library version 0.95, representing a critical memory management flaw that can be exploited to cause denial of service conditions. This issue specifically manifests during the processing of RTSP (Real Time Streaming Protocol) setup packets where the library fails to properly handle multiple instances of authentication-related fields. The flaw stems from the library's insufficient memory cleanup mechanisms when encountering repeated field occurrences in RTSP authentication headers.
The technical root cause of this vulnerability lies in the improper handling of duplicate field instances within RTSP setup packets. When the Live555 library processes authentication headers containing multiple occurrences of fields such as username, realm, nonce, uri, or response, it only retains references to the final instance of each field while failing to properly free memory allocated for previous instances. This memory management oversight creates a progressive accumulation of unreleased memory blocks that persist throughout the application's runtime. The vulnerability specifically aligns with CWE-401, which addresses improper handling of memory allocation and deallocation, and represents a classic example of memory leak exploitation in network protocol handling code.
The operational impact of this vulnerability is significant as it enables a remote attacker to systematically consume available memory resources through carefully crafted RTSP setup packets. By repeatedly sending malformed packets containing multiple instances of authentication fields, an attacker can cause the target system to gradually exhaust its memory capacity until the application becomes unresponsive or crashes entirely. This memory exhaustion leads to a denial of service condition that affects legitimate users attempting to access streaming services. The vulnerability is particularly dangerous in environments where Live555 is used as part of streaming servers or media gateways, as these systems often handle numerous concurrent connections and are prime targets for resource exhaustion attacks.
The attack vector for this vulnerability requires an attacker to send specially crafted RTSP setup packets containing duplicate field instances to a vulnerable Live555 implementation. The attacker does not need authentication credentials or deep protocol knowledge beyond understanding how to construct valid RTSP packets with repeated header fields. This makes the vulnerability particularly accessible and dangerous in production environments where streaming services are exposed to untrusted network traffic. The vulnerability demonstrates characteristics consistent with ATT&CK technique T1499.004, which involves network denial of service through resource exhaustion attacks, and specifically targets the availability aspect of the CIA triad.
Mitigation strategies for CVE-2019-7732 primarily involve upgrading to a patched version of the Live555 library where proper memory management has been implemented to handle duplicate field instances correctly. Organizations should also implement network-level protections such as rate limiting and packet filtering to reduce the impact of potential attacks. Additionally, monitoring systems should be deployed to detect unusual memory usage patterns that may indicate exploitation attempts. The fix typically involves modifying the library's packet parsing logic to ensure that all instances of repeated fields are properly tracked and freed, preventing the accumulation of memory leaks. Security teams should also consider implementing intrusion detection systems that can identify and block malformed RTSP packets containing duplicate fields, providing an additional layer of defense against this specific vulnerability.