CVE-2020-24027 – CVE-2020-24027 is a critical buffer overflow vu... (How to Fix)

Q: What is the severity of CVE-2020-24027?

CVE-2020-24027 has a CVSS score of 9.8 (CRITICAL). CVE-2020-24027 is a critical buffer overflow vulnerability in liblivemedia's RTSP server component. When processing a specially crafted RTSP PLAY command with absolute time seeking, attackers can execute arbitrary code or crash the service. This affects any system using vulnerable versions of liblivemedia for RTSP streaming.

📋 TL;DR

CVE-2020-24027 is a critical buffer overflow vulnerability in liblivemedia's RTSP server component. When processing a specially crafted RTSP PLAY command with absolute time seeking, attackers can execute arbitrary code or crash the service. This affects any system using vulnerable versions of liblivemedia for RTSP streaming.

💻 Affected Systems

Products:

Live Networks liblivemedia

Versions: Versions up to and including 20200625

Operating Systems: All platforms where liblivemedia is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using liblivemedia's RTSP server functionality with absolute time seeking enabled is vulnerable.

📦 What is this software?

Liblivemedia by Live555

View all CVEs affecting Liblivemedia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to take complete control of affected servers.

🟠

Likely Case

Service disruption through denial of service (crash) or limited code execution in constrained environments.

🟢

If Mitigated

Minimal impact if proper network segmentation and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - RTSP servers are often internet-facing for streaming purposes, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal RTSP servers could still be exploited by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in protocol handling and requires no authentication. Public details make exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 20200625

Vendor Advisory: http://lists.live555.com/pipermail/live-devel/2020-July/021662.html

Restart Required: Yes

Instructions:

1. Download latest liblivemedia from live555.com. 2. Replace vulnerable library files. 3. Recompile any dependent applications. 4. Restart affected services.

🔧 Temporary Workarounds

Disable absolute time seeking

all

Configure RTSP server to reject PLAY commands with absolute time parameters

Modify RTSP server configuration to disable 'absolute' time seeking mode

Network filtering

all

Block or filter RTSP traffic at network boundaries

iptables -A INPUT -p tcp --dport 554 -j DROP
firewall-cmd --permanent --add-port=554/tcp
netsh advfirewall firewall add rule name="Block RTSP" dir=in action=block protocol=TCP localport=554

🧯 If You Can't Patch

Isolate RTSP servers in dedicated network segments with strict access controls
Implement application layer firewalls to inspect and filter RTSP traffic

🔍 How to Verify

Check if Vulnerable:

Check liblivemedia version: strings /path/to/liblivemedia.so | grep '20200625' or similar

Check Version:

strings $(ldconfig -p | grep liblivemedia | head -1 | awk '{print $4}') | grep 'LIVE555'

Verify Fix Applied:

Verify version is newer than 20200625 and test RTSP PLAY commands with absolute time parameters

📡 Detection & Monitoring

Log Indicators:

RTSP PLAY commands with unusually long absolute time parameters
Service crashes or abnormal termination

Network Indicators:

RTSP traffic with malformed PLAY commands
Unexpected connections to RTSP port 554

SIEM Query:

source="rtsp_server" AND (message="*PLAY*absolute*" OR message="*buffer overflow*")

📊 Metadata

CVE ID: CVE-2020-24027

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: January 11, 2021

Last Updated: November 21, 2024

🔗 References

http://lists.live555.com/pipermail/live-devel/2020-July/021662.html Exploit,Mailing List,Vendor Advisory
http://www.live555.com/liveMedia/public/changelog.txt Vendor Advisory
http://lists.live555.com/pipermail/live-devel/2020-July/021662.html Exploit,Mailing List,Vendor Advisory
http://www.live555.com/liveMedia/public/changelog.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24027, you might also want to check these: