CVE-2021-32277
📋 TL;DR
This vulnerability in faad2 audio decoding library allows heap buffer overflow in the sbr_qmf_analysis_32 function, potentially enabling remote code execution when processing malicious audio files. It affects systems using faad2 versions through 2.10.0 for audio decoding. Attackers could exploit this by tricking users into opening specially crafted audio files.
💻 Affected Systems
- faad2
- applications using faad2 library (audio players, media servers, converters)
📦 What is this software?
Faad2 by Faad2 Project
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with attacker gaining control of the affected system, potentially leading to complete system compromise, data theft, or lateral movement within the network.
Likely Case
Application crash (denial of service) or limited code execution within the context of the audio processing application, potentially allowing file system access or further exploitation.
If Mitigated
Application crash with no code execution if memory protections (ASLR, DEP) are effective, but still causing service disruption.
🎯 Exploit Status
Exploitation requires crafting malicious AAC audio files. Public proof-of-concept exists in GitHub issue #59. No authentication required to trigger the vulnerability when processing files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: faad2 version 2.10.1 and later
Vendor Advisory: https://github.com/knik0/faad2/issues/59
Restart Required: Yes
Instructions:
1. Update faad2 to version 2.10.1 or later using your package manager. 2. For Debian/Ubuntu: apt update && apt upgrade faad2. 3. For source installations: Download latest from GitHub and rebuild. 4. Restart affected applications/services.
🔧 Temporary Workarounds
Disable AAC audio processing
allTemporarily disable AAC audio file processing in affected applications until patched
Application-specific configuration changes required
Use alternative audio decoder
allConfigure applications to use alternative AAC decoders instead of faad2
Application-specific configuration changes required
🧯 If You Can't Patch
- Implement strict file upload validation for web services processing audio files
- Deploy memory protection mechanisms (ASLR, DEP) and monitor for crash events
🔍 How to Verify
Check if Vulnerable:
Check faad2 version: faad --version or dpkg -l | grep faad2 or rpm -qa | grep faad2Check Version:
faad --version 2>/dev/null || dpkg -l | grep faad2 || rpm -qa | grep faad2Verify Fix Applied:
Verify version is 2.10.1 or later: faad --version should show 2.10.1+📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults in faad2 processes
- Memory access violation errors in application logs
Network Indicators:
- Unusual audio file uploads to web services
- Large number of AAC file processing attempts
SIEM Query:
Process:faad2 AND (EventID:1000 OR Signal:SIGSEGV) OR FileType:AAC AND Upload:Success🔗 References
- https://github.com/knik0/faad2/issues/59
- https://lists.debian.org/debian-lts-announce/2021/10/msg00020.html
- https://www.debian.org/security/2022/dsa-5109
- https://github.com/knik0/faad2/issues/59
- https://lists.debian.org/debian-lts-announce/2021/10/msg00020.html
- https://www.debian.org/security/2022/dsa-5109
