GPAC gf_import_message() Function Buffer Overflow Vulnerability [CVE-2019-11221]

CVE Number – CVE-2019-11221

A vulnerability in GPAC could allow an unauthenticated, remote attacker to trigger a buffer overflow condition on a targeted system.The vulnerability is due to insufficient checks in the gf_import_message function, as defined in the media_import.c source code file of the affected software. An attacker could exploit this vulnerability by sending a crafted SubRip Subtitle (SRT) file to the affected software. A successful exploit could allow the attacker to cause a buffer overflow condition on the targeted system, which could be used to gain access to sensitive information, modify files on the system or cause a denial of service (DoS) condition. GPAC has not confirmed this vulnerability and software updates are not available; however, third party announcements are available. Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

Analysis

• To exploit this vulnerability, the attacker must send a crafted SRT file to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards

• Administrators are advised to check the vendor for future updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.

Vendor Announcements

• At the time this alert was first published, GPAC had not released a security advisory; however, a third-party announcement is available at the following link: buffer overflow issue
  

Fixed Software

• At the time this alert was first published, GPAC had not released software updates.