Allocation of Resources Without Limits or Throttling in Bento4

#VU36256 Allocation of Resources Without Limits or Throttling in Bento4

Published: 2019-01-02 | Updated: 2020-08-08

Vulnerability identifier: #VU36256

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-20659

CWE-ID: CWE-770

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Bento4
Universal components / Libraries / Libraries used by multiple products

Vendor: axiomatic-systems

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Bento4 1.5.1-627. The AP4_StcoAtom class in Core/Ap4StcoAtom.cpp has an attempted excessive memory allocation when called from AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp, as demonstrated by mp42hls.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Bento4: 1.5.1-627

External links
http://github.com/axiomatic-systems/Bento4/issues/350

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in axiomatic-systems Bento4