CVE-2018-4013: LIVE555 streaming media RTSP Server Remote Code Execution Vulnerability
Recently, the TALOS team announced a high-risk remote code execution vulnerability CVE-2018-4013 in Live Networks LIVE555. The vulnerability stems from the HTTP packet parsing function of the LIVE555 RTSP server library. An attacker can cause a buffer overflow of the stack by sending a specially crafted packet, which leads to code execution.
“The LIVE555 Media Libraries are a lightweight set of multimedia streaming libraries for RTSP/RTCP/RTSP/SIP, with code support for both servers and clients. They are utilized by popular media players such as VLC and MPlayer, as well as a multitude of embedded devices (mainly cameras).”
CVSSv3 Score:
10.0 – CVSS: 3.0/AV: N/AC: L/PR: N/UI: N/S: C/C: H/I: H/A: H
Affected version
- Live Networks LIVE555 Media Server Version 0.92
Solution
LIVE555 Streaming Media has released a patch to fix this vulnerability, and affected users should upgrade as soon as possible to protect.