A security researcher has announced the discovery of a critical vulnerability in two of the most popular media players — MPlayer and VLC. The issue was found in the LIVE555 media streaming library which is used in both applications and tracked in the CVE-2018-4013 advisory.
CVE-2018-4013: VLC and MPlayer Vulnerability Caused by Live555 Media Streaming Library
The two popular media players VLC and MPlayer were found to be affected by the same vulnerability. This was reported by a security researcher that found that the root of the cause is the LIVE555 media streaming library which they both use. It is maintained by the Live Networks company and serves to provide compatibility with RTP and SIP protocols and processing various audio and video formats. Without it VLC and MPlayer will not be able to play streaming media which is one of their most important features.
The CVE-2018-4013 advisory has been assigned to the vulnerability, it indicates that unpatched versions of the software allows millions of users worldwide to become possible victims of hacker attacks. The reason for this is the way HTTP requests are made. Hackers can craft a special packet causing a stack-based buffer overflow which can be used for code execution. The full description of the CVE-2018-4013 advisory reads the following:
An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
These two programs are among the most commonly installed third-party software by end users and this is the reason why such problems are automatically classified as major impacts. However the security report does indicate that the problem does not lie within the codebase of the applications but rather components that are developed by outside sources and used for enhancing the player’s functions. In this particular case the media streaming component is essential for providing one of the core functions.
Both players have issued security updates and users are advised to apply them as soon as possible.