CVE-2020-12284
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code or cause denial of service via a specially crafted JPEG file. It affects systems running FFmpeg 4.1 or 4.2.2 that process untrusted JPEG content.
💻 Affected Systems
- FFmpeg
📦 What is this software?
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crash causing denial of service, potentially disrupting media processing services.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially just application crashes.
🎯 Exploit Status
The vulnerability was discovered through fuzzing and has public proof-of-concept available. Exploitation requires only a malicious JPEG file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FFmpeg 4.2.3 or later, or apply commits 1812352d767ccf5431aa440123e2e260a4db2726 and a3a3730b5456ca00587455004d40c047f7b20a99
Vendor Advisory: https://security.gentoo.org/glsa/202007-58
Restart Required: Yes
Instructions:
1. Update FFmpeg to version 4.2.3 or later. 2. For source installations, apply the two referenced commits. 3. Restart any services using FFmpeg.
🔧 Temporary Workarounds
Disable JPEG processing
allTemporarily disable JPEG file processing in FFmpeg configurations
Configure FFmpeg to reject JPEG files or use alternative codecs
Sandbox FFmpeg execution
linuxRun FFmpeg in a container or sandbox with limited privileges
docker run --security-opt no-new-privileges -v /media:/media ffmpeg
firejail --private ffmpeg
🧯 If You Can't Patch
- Implement strict input validation to reject malformed JPEG files before processing
- Deploy network segmentation to isolate FFmpeg services from critical systems
🔍 How to Verify
Check if Vulnerable:
Check FFmpeg version: ffmpeg -version | grep 'version'Check Version:
ffmpeg -version | head -1Verify Fix Applied:
Verify version is 4.2.3 or later, or check if commits are applied in source installations📡 Detection & Monitoring
Log Indicators:
- FFmpeg segmentation faults
- Heap corruption errors
- Abnormal process termination
Network Indicators:
- Unusual outbound connections from FFmpeg processes
- Large JPEG file uploads to media processing endpoints
SIEM Query:
process.name:ffmpeg AND (event.action:segfault OR event.action:abnormal_exit)🔗 References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19734
- https://github.com/FFmpeg/FFmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726
- https://github.com/FFmpeg/FFmpeg/commit/a3a3730b5456ca00587455004d40c047f7b20a99
- https://security.gentoo.org/glsa/202007-58
- https://usn.ubuntu.com/4431-1/
- https://www.debian.org/security/2020/dsa-4722
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19734
- https://github.com/FFmpeg/FFmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726
- https://github.com/FFmpeg/FFmpeg/commit/a3a3730b5456ca00587455004d40c047f7b20a99
- https://security.gentoo.org/glsa/202007-58
- https://usn.ubuntu.com/4431-1/
- https://www.debian.org/security/2020/dsa-4722
