CVE-2023-6605
📋 TL;DR
This vulnerability in FFmpeg's DASH playlist support allows attackers to make arbitrary HTTP GET requests from the system running FFmpeg by providing a maliciously crafted DASH playlist. This affects any system or application that processes DASH playlists using vulnerable FFmpeg versions, potentially leading to server-side request forgery (SSRF) attacks.
💻 Affected Systems
- FFmpeg
📦 What is this software?
Ffmpeg by Ffmpeg
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the vulnerable system as a proxy to scan internal networks, access internal services, or trigger requests to sensitive endpoints, potentially leading to data exfiltration or further exploitation.
Likely Case
Attackers could use the vulnerable FFmpeg instance to make unauthorized requests to internal or external services, potentially revealing information about network topology or accessing restricted resources.
If Mitigated
With proper network segmentation and egress filtering, the impact is limited to potential information disclosure about accessible endpoints rather than full network access.
🎯 Exploit Status
Exploitation requires the attacker to provide a malicious DASH playlist to FFmpeg, which could occur through user-uploaded content, API inputs, or other data ingestion paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FFmpeg 6.1.1 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2334336
Restart Required: No
Instructions:
1. Update FFmpeg to version 6.1.1 or later. 2. For Linux distributions, use your package manager: 'sudo apt update && sudo apt upgrade ffmpeg' (Debian/Ubuntu) or 'sudo yum update ffmpeg' (RHEL/CentOS). 3. For source installations, download and compile the latest version from ffmpeg.org.
🔧 Temporary Workarounds
Disable DASH playlist processing
allConfigure applications to avoid processing DASH playlists if not required
Network egress filtering
allRestrict outbound HTTP requests from FFmpeg processes to only necessary destinations
🧯 If You Can't Patch
- Implement strict input validation for DASH playlist files
- Isolate FFmpeg processes in network-restricted containers or environments
🔍 How to Verify
Check if Vulnerable:
Check FFmpeg version: 'ffmpeg -version' and verify if it's below 6.1.1Check Version:
ffmpeg -version | head -1Verify Fix Applied:
After updating, run 'ffmpeg -version' to confirm version is 6.1.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests originating from FFmpeg processes
- Unexpected outbound connections from media processing systems
Network Indicators:
- HTTP GET requests to unusual or internal destinations from systems running FFmpeg
SIEM Query:
source="ffmpeg" AND (http_request OR network_connection) AND dest_ip NOT IN [allowed_destinations]