CVE-2021-38382 in Live555info

Summary

by MITRE • 08/11/2021

Live555 through 1.08 does not handle Matroska and Ogg files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/16/2021

The vulnerability identified as CVE-2021-38382 affects the Live555 media streaming library version 1.08 and earlier, representing a critical security flaw that stems from improper handling of Matroska and Ogg media files within the Real Time Streaming Protocol implementation. This issue manifests when an attacker sends two consecutive RTSP SETUP commands targeting the same track within these media formats, creating a dangerous condition that leads to memory corruption and subsequent daemon crashes. The flaw resides in the library's failure to properly manage memory allocation and deallocation processes during the setup phase of media streaming sessions, particularly when processing structured media containers that utilize the Matroska and Ogg formats.

The technical exploitation of this vulnerability involves a specific sequence of operations that triggers a use-after-free condition, which is classified under CWE-416 as the use of freed memory. When the first RTSP SETUP command is processed, the library allocates memory structures to handle the track setup, but subsequent processing of a second identical SETUP command causes the library to free these memory resources while simultaneously attempting to reference them again. This race condition occurs within the RTSP server implementation where the library does not adequately track the lifecycle of allocated resources during multi-step setup operations. The daemon crash that results from this condition represents a denial of service vulnerability that can be exploited by remote attackers to disrupt streaming services that rely on Live555 for media delivery.

The operational impact of this vulnerability extends beyond simple service disruption, as it can compromise the availability and reliability of streaming services across various applications that depend on Live555 for real-time media processing. Organizations utilizing this library for video streaming, live broadcasting, or media server implementations face significant risk of service interruptions when attackers exploit this flaw through crafted RTSP requests. The vulnerability affects systems ranging from media servers and content delivery networks to embedded devices and streaming applications that handle Matroska and Ogg formatted media files. From an attacker perspective, this represents a straightforward exploitation vector that requires minimal technical expertise to execute, as it only requires sending two specific RTSP commands to trigger the memory corruption and daemon crash.

Mitigation strategies for CVE-2021-38382 primarily focus on immediate remediation through library version updates, as the vulnerability has been addressed in Live555 versions beyond 1.08. Organizations should conduct comprehensive inventory assessments to identify all systems and applications utilizing vulnerable Live555 versions and implement patch management procedures to upgrade to secure releases. Network-level mitigations can include implementing RTSP request filtering and rate limiting to prevent rapid successive SETUP command sequences, though these measures are less effective than proper code-level fixes. Additionally, security monitoring should be enhanced to detect unusual RTSP traffic patterns that may indicate exploitation attempts, while application-level defenses should incorporate proper input validation and resource management practices that prevent similar use-after-free conditions in other components. The vulnerability aligns with ATT&CK technique T1499.004 for network denial of service attacks and represents a classic example of memory safety issues that can be prevented through proper software development practices and comprehensive security testing.

Reservation

08/10/2021

Disclosure

08/11/2021

Moderation

accepted

CPE

ready

EPSS

0.01190

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!