CVE-2021-38381 in Live555info

Summary

by MITRE • 08/11/2021

Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/16/2021

The vulnerability identified as CVE-2021-38381 affects Live555 versions up to and including 1.08, representing a critical security flaw in media streaming protocols that can lead to denial of service and potential remote code execution. This issue specifically manifests when processing MPEG-1 or MPEG-2 files through the RTSP protocol implementation within the Live555 streaming media library. The vulnerability stems from improper handling of successive RTSP SETUP commands targeting the same track within media streams, creating a dangerous condition where memory is accessed after it has been freed.

The technical implementation of this flaw involves the Live555 library's RTSP server component failing to properly manage memory allocation and deallocation sequences when processing multiple SETUP requests for identical media tracks. When two consecutive RTSP SETUP commands are sent for the same track, the library's internal state management becomes corrupted, leading to a use-after-free condition where previously deallocated memory regions are accessed by subsequent operations. This memory corruption directly results in daemon crashes and can potentially be exploited to execute arbitrary code on the affected system. The vulnerability is classified under CWE-416 as a Use-After-Free condition, which is a well-documented class of memory safety issues that frequently leads to system instability and security breaches.

From an operational perspective, this vulnerability poses significant risks to media streaming servers, video surveillance systems, and any network infrastructure relying on Live555 for RTSP protocol handling. The impact extends beyond simple denial of service as the potential for remote code execution makes this a critical concern for network security. Attackers can exploit this flaw by simply sending two successive RTSP SETUP commands to a vulnerable server, requiring minimal technical expertise and network access. The vulnerability affects systems where Live555 is embedded in network video recorders, surveillance cameras, and media streaming appliances, making it particularly dangerous in enterprise and industrial environments where such devices are prevalent.

The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, as it represents a flaw in a publicly accessible protocol implementation that can be exploited remotely. This vulnerability also maps to T1499.004 - Endpoint Denial of Service, as the primary impact is the disruption of service through daemon crashes. The exploitation requires only basic RTSP protocol knowledge and network connectivity, making it accessible to a wide range of threat actors from script kiddies to sophisticated adversaries. Organizations using Live555 in their media streaming infrastructure should immediately implement mitigations including protocol filtering, rate limiting, and access controls to prevent unauthorized exploitation of this vulnerability.

Mitigation strategies for CVE-2021-38381 should include immediate patching to version 1.09 or later of Live555, which contains the necessary memory management fixes. Network administrators should implement RTSP protocol monitoring and filtering to detect and prevent suspicious SETUP command sequences. Additionally, access controls should be enforced to limit RTSP server exposure to trusted networks only, reducing the attack surface. System hardening measures including memory protection mechanisms and process isolation can further reduce the potential impact of successful exploitation attempts. Organizations should also conduct vulnerability assessments to identify all systems running vulnerable versions of Live555 and implement comprehensive monitoring to detect potential exploitation attempts. The fix addresses the underlying memory management issues by ensuring proper reference counting and state synchronization during RTSP SETUP command processing, preventing the use-after-free condition that leads to daemon crashes.

Reservation

08/10/2021

Disclosure

08/11/2021

Moderation

accepted

CPE

ready

EPSS

0.01190

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!