CVE-2023-51793
📋 TL;DR
A buffer overflow vulnerability in FFmpeg's image_copy_plane function allows local attackers to execute arbitrary code. This affects systems running vulnerable FFmpeg versions where an attacker has local access. The vulnerability could lead to privilege escalation or system compromise.
💻 Affected Systems
- FFmpeg
📦 What is this software?
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root/system privileges and completely compromises the system, potentially installing persistent malware or exfiltrating sensitive data.
Likely Case
Local attacker escalates privileges to execute code with higher permissions than their current user account, potentially accessing restricted files or resources.
If Mitigated
Attack is contained within user's privilege level with no lateral movement or persistence achieved.
🎯 Exploit Status
Exploitation requires local access and ability to trigger the vulnerable image_copy_plane function with crafted input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check FFmpeg git repository for fixes after commit 8d24a28d06
Vendor Advisory: https://ffmpeg.org/security.html
Restart Required: No
Instructions:
1. Update FFmpeg to latest version from official repository. 2. For package managers: 'sudo apt update && sudo apt upgrade ffmpeg' (Debian/Ubuntu) or 'sudo yum update ffmpeg' (RHEL/CentOS). 3. Recompile from source if using custom builds.
🔧 Temporary Workarounds
Restrict FFmpeg execution
linuxLimit which users can execute FFmpeg binaries to reduce attack surface
sudo chmod 750 /usr/bin/ffmpeg
sudo chown root:trustedgroup /usr/bin/ffmpeg
Implement mandatory access controls
linuxUse SELinux or AppArmor to restrict FFmpeg's capabilities
sudo aa-genprof ffmpeg
sudo setenforce 1
🧯 If You Can't Patch
- Implement strict file access controls to prevent untrusted users from supplying input to FFmpeg
- Monitor FFmpeg process execution and memory usage for anomalous behavior
🔍 How to Verify
Check if Vulnerable:
Check FFmpeg version: 'ffmpeg -version' and look for version string containing 'N113007-g8d24a28d06' or earlierCheck Version:
ffmpeg -version | head -1Verify Fix Applied:
After update, verify version no longer contains vulnerable commit hash and test with known safe media files📡 Detection & Monitoring
Log Indicators:
- Segmentation faults in FFmpeg processes
- Abnormal memory usage patterns in FFmpeg
- Unexpected FFmpeg process spawning with high privileges
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Process:Name='ffmpeg' AND (EventID=1000 OR MemoryUsage>threshold)🔗 References
- https://ffmpeg.org/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPETICRXUOGRIM4U3BCRTIKE3IZWCSBT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY/
- https://trac.ffmpeg.org/ticket/10743
- https://ffmpeg.org/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPETICRXUOGRIM4U3BCRTIKE3IZWCSBT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY/
- https://trac.ffmpeg.org/ticket/10743
