Live Networks LIVE555 Media Server Setup Packet Memory Leak Denial of Service Vulnerability
In Live555 0.95, a setup packet can cause a memory leak leading to DoS because, when there are multiple instances of a single field (username, realm, nonce, uri, or response), only the last instance can ever be freed.
A vulnerability in the LIVE555 Media Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to a memory leak condition in the affected software when multiple instances of a single field exist within a setup packet. An attacker could exploit the vulnerability by sending a malicious setup packet to a targeted system. A successful exploit could cause the targeted system to crash, resulting in a DoS condition. Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. Live Networks has confirmed the vulnerability, however, software updates are not available.