CVE-2021-33499 – This vulnerability in Pexip Infinity allows rem... (How to Fix)

Q: What is the severity of CVE-2021-33499?

CVE-2021-33499 has a CVSS score of 7.5 (HIGH). This vulnerability in Pexip Infinity allows remote attackers to cause denial of service by sending specially crafted H.264 video input without proper validation. It affects all Pexip Infinity deployments before version 26 that process video streams.

📋 TL;DR

This vulnerability in Pexip Infinity allows remote attackers to cause denial of service by sending specially crafted H.264 video input without proper validation. It affects all Pexip Infinity deployments before version 26 that process video streams.

💻 Affected Systems

Products:

Pexip Infinity

Versions: All versions before 26

Operating Systems: Linux-based appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments processing H.264 video streams are affected. The vulnerability is in the core video processing component.

📦 What is this software?

Infinity by Pexip

View all CVEs affecting Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption making the Pexip Infinity platform unavailable for all users, potentially requiring system restart or reconfiguration.

🟠

Likely Case

Service instability, dropped calls, or degraded video quality affecting user experience during video conferences.

🟢

If Mitigated

Minimal impact with proper network segmentation and input validation controls in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but have reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending malformed H.264 video streams, which can be done by any client or attacker with network access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 26 or later

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to Pexip Infinity version 26 or later. 3. Restart the system. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Network segmentation

all

Restrict access to Pexip Infinity systems to trusted networks only

Input validation proxy

all

Deploy a proxy that validates H.264 streams before they reach Pexip Infinity

🧯 If You Can't Patch

Implement strict network access controls to limit who can send video streams to the system
Monitor system performance and logs for signs of DoS attacks and have incident response procedures ready

🔍 How to Verify

Check if Vulnerable:

Check the Pexip Infinity version via the admin web interface or SSH to the appliance and run 'pexip --version'

Check Version:

pexip --version

Verify Fix Applied:

Confirm version is 26 or higher and test video conferencing functionality with various H.264 streams

📡 Detection & Monitoring

Log Indicators:

Unusual system crashes
High CPU/memory usage spikes
Failed video processing errors
Service restart events

Network Indicators:

Unusual volume of H.264 traffic from single sources
Malformed video packet patterns
Connection floods to video ports

SIEM Query:

source="pexip" AND (event_type="crash" OR event_type="restart" OR error_message="H.264" OR cpu_usage>90)

📊 Metadata

CVE ID: CVE-2021-33499

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: January 15, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory
https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33499, you might also want to check these: