CVE-2018-10790 – This vulnerability in Bento4's AP4

Q: What is the severity of CVE-2018-10790?

CVE-2018-10790 has a CVSS score of 7.5 (HIGH). This vulnerability in Bento4's AP4_CttsAtom class allows remote attackers to cause denial of service through application crashes by triggering memory allocation failures. It affects systems using Bento4 1.5.1.0 for media processing, particularly when handling malicious MP4 files.

📋 TL;DR

This vulnerability in Bento4's AP4_CttsAtom class allows remote attackers to cause denial of service through application crashes by triggering memory allocation failures. It affects systems using Bento4 1.5.1.0 for media processing, particularly when handling malicious MP4 files.

💻 Affected Systems

Products:

Bento4

Versions: 1.5.1.0

Operating Systems: All platforms running Bento4

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the AP4_CttsAtom.cpp file and affects any application using Bento4 library to process MP4 files.

📦 What is this software?

Bento4 by Axiosys

View all CVEs affecting Bento4 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through repeated application crashes, potentially affecting media processing pipelines or applications relying on Bento4 library.

🟠

Likely Case

Application crashes when processing specially crafted media files, leading to temporary service unavailability.

🟢

If Mitigated

Limited impact with proper input validation and resource monitoring in place.

🌐 Internet-Facing: MEDIUM - Exploitable via malicious media files but requires specific conditions and targeting.

🏢 Internal Only: LOW - Requires user interaction or specific media processing workflows.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Demonstrated via mp2aac tool; exploitation requires crafting malicious MP4 files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.1.1 and later

Vendor Advisory: https://github.com/axiomatic-systems/Bento4/issues/390

Restart Required: Yes

Instructions:

1. Update Bento4 to version 1.5.1.1 or later. 2. Recompile any applications using Bento4 library. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation for media files

all

Implement strict validation of MP4 files before processing with Bento4

Resource limits

linux

Set memory allocation limits for Bento4 processes

ulimit -v [memory_limit_in_kb]

🧯 If You Can't Patch

Isolate Bento4 processing to dedicated containers with resource constraints
Implement network segmentation to limit exposure of media processing services

🔍 How to Verify

Check if Vulnerable:

Check Bento4 version: bento4 --version or examine library version in applications

Check Version:

bento4 --version

Verify Fix Applied:

Verify version is 1.5.1.1 or later and test with known malicious MP4 samples

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory allocation errors
Segmentation faults in Bento4 processes

Network Indicators:

Unusual media file uploads to processing endpoints

SIEM Query:

process_name:"bento4" AND (event_type:"crash" OR error:"memory allocation")

📊 Metadata

CVE ID: CVE-2018-10790

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: August 25, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.google.com/document/d/1OSwQjtyALgV3OulmWGaTqZrSzk7Ta-xGrcLI0I7SPyM Exploit,Third Party Advisory
https://github.com/axiomatic-systems/Bento4/issues/390 Exploit,Issue Tracking,Third Party Advisory
https://docs.google.com/document/d/1OSwQjtyALgV3OulmWGaTqZrSzk7Ta-xGrcLI0I7SPyM Exploit,Third Party Advisory
https://github.com/axiomatic-systems/Bento4/issues/390 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10790, you might also want to check these: