CVE-2020-36129 – CVE-2020-36129 is a stack buffer overflow vulne... (How to Fix)

Q: What is the severity of CVE-2020-36129?

CVE-2020-36129 has a CVSS score of 8.8 (HIGH). CVE-2020-36129 is a stack buffer overflow vulnerability in AOM (AOMedia Video 1) codec library version 2.0.1 that allows attackers to execute arbitrary code or cause denial of service. It affects systems using the vulnerable AOM library for video processing. The vulnerability is triggered through the src/aom_image.c component when processing specially crafted video files.

📋 TL;DR

CVE-2020-36129 is a stack buffer overflow vulnerability in AOM (AOMedia Video 1) codec library version 2.0.1 that allows attackers to execute arbitrary code or cause denial of service. It affects systems using the vulnerable AOM library for video processing. The vulnerability is triggered through the src/aom_image.c component when processing specially crafted video files.

💻 Affected Systems

Products:

AOM (AOMedia Video 1) library
Applications using libaom for video encoding/decoding
Web browsers with AOM support
Media processing software

Versions: AOM v2.0.1 specifically

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any application linking against the vulnerable libaom library is affected when processing video content.

📦 What is this software?

Aomedia by Aomedia

View all CVEs affecting Aomedia →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially leading to service disruption for video processing applications.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms (ASLR, DEP) that may prevent code execution but still cause crashes.

🌐 Internet-Facing: MEDIUM - Requires processing of malicious video files, which could be uploaded to web services or delivered via media content.

🏢 Internal Only: LOW - Typically requires user interaction to process malicious files, limiting internal network exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept exists in the Chromium bug tracker. Exploitation requires the target to process a malicious video file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AOM v2.0.2 and later

Vendor Advisory: https://bugs.chromium.org/p/aomedia/issues/detail?id=2912

Restart Required: Yes

Instructions:

1. Update AOM library to version 2.0.2 or later. 2. Rebuild or update applications using libaom. 3. Restart affected services. 4. For package managers: Use system updates (apt upgrade libaom, yum update libaom, etc.)

🔧 Temporary Workarounds

Disable AOM video processing

all

Configure applications to avoid using AOM codec for video processing

Application-specific configuration required

Input validation for video files

all

Implement strict validation/sanitization of uploaded video files

Implement file type verification and size limits

🧯 If You Can't Patch

Implement network segmentation to isolate systems using AOM library
Deploy application allowlisting to prevent unauthorized video processing applications

🔍 How to Verify

Check if Vulnerable:

Check AOM library version: aomenc --version or check installed package version

Check Version:

aomenc --version 2>/dev/null || dpkg -l | grep libaom || rpm -qa | grep libaom

Verify Fix Applied:

Verify AOM version is 2.0.2 or higher: aomenc --version | grep -q '2\.0\.[2-9]\|2\.[1-9]\|3\.'

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in application logs
Unexpected process termination of video processing services

Network Indicators:

Unusual outbound connections from video processing systems
Large video file uploads to vulnerable endpoints

SIEM Query:

Process termination events from video encoding/decoding applications OR Application logs containing 'segmentation fault' 'buffer overflow' 'aom'

📊 Metadata

CVE ID: CVE-2020-36129

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: December 2, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1 Exploit,Third Party Advisory
https://security.gentoo.org/glsa/202401-32
https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1 Exploit,Third Party Advisory
https://security.gentoo.org/glsa/202401-32

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36129, you might also want to check these: