CVE-2023-38104 – This vulnerability in GStreamer's RealMedia fil... (How to Fix)

Q: What is the severity of CVE-2023-38104?

CVE-2023-38104 has a CVSS score of 8.8 (HIGH). This vulnerability in GStreamer's RealMedia file parser allows remote attackers to execute arbitrary code by exploiting an integer overflow when processing MDPR chunks. Any application using GStreamer to parse RealMedia files is potentially affected, including media players, web browsers, and other multimedia applications.

📋 TL;DR

This vulnerability in GStreamer's RealMedia file parser allows remote attackers to execute arbitrary code by exploiting an integer overflow when processing MDPR chunks. Any application using GStreamer to parse RealMedia files is potentially affected, including media players, web browsers, and other multimedia applications.

💻 Affected Systems

Products:

GStreamer
Applications using GStreamer library (VLC, browsers, media applications)

Versions: GStreamer versions before the fix (specific version depends on distribution)

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses GStreamer's RealMedia demuxer (rmdemux) to parse .rm, .rmvb, or other RealMedia files is vulnerable. This includes many Linux distributions' default media handling.

📦 What is this software?

Gstreamer by Gstreamer Project

View all CVEs affecting Gstreamer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the GStreamer process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution in the context of the media processing application, allowing attackers to steal data, install malware, or pivot to other systems.

🟢

If Mitigated

Application crash or denial of service if exploit fails, with potential memory corruption visible in logs.

🌐 Internet-Facing: MEDIUM - Exploitation requires user interaction (opening malicious media file) but can be delivered via web applications, email attachments, or compromised websites.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files, but requires some level of user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious RealMedia file and getting the victim to open it. No authentication is needed, but user interaction is typically required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GStreamer with commit fixing integer overflow in rmdemux

Vendor Advisory: https://gitlab.freedesktop.org/gstreamer/gstreamer/uploads/d4a0aa4ec2165f6c418703b9e1459d8b/0002-rmdemux-Check-for-integer-overflow-when-calculation-.patch

Restart Required: Yes

Instructions:

1. Update GStreamer package from your distribution's repository. 2. Restart any applications using GStreamer. 3. For source installations: apply the patch from the advisory URL and rebuild.

🔧 Temporary Workarounds

Disable RealMedia support

linux

Remove or disable GStreamer's RealMedia plugin to prevent parsing of vulnerable file types

sudo apt remove gstreamer1.0-plugins-bad (on Debian/Ubuntu)
sudo yum remove gstreamer1-plugins-bad-free (on RHEL/CentOS)

File type restrictions

all

Block .rm and .rmvb files at network perimeter or application level

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized code execution
Use sandboxing or containerization for media processing applications

🔍 How to Verify

Check if Vulnerable:

Check GStreamer version and if RealMedia plugin is installed: gst-inspect-1.0 | grep rmdemux

Check Version:

gst-launch-1.0 --version

Verify Fix Applied:

Verify GStreamer is updated to patched version and test with known safe RealMedia files

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing media files
Memory corruption errors in system logs
Unexpected child processes from media applications

Network Indicators:

Downloads of .rm/.rmvb files from suspicious sources
Unusual outbound connections from media applications

SIEM Query:

process_name:"gst-launch" OR process_name:"vlc" AND (event_type:crash OR memory_violation)

📊 Metadata

CVE ID: CVE-2023-38104

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: May 3, 2024

Last Updated: December 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38104, you might also want to check these: