Vulnerability in Icecast can collapse online radio stations

Share this…

The streaming server Icecast is affected by a flaw that could be exploited by an attacker to interrupt the transmission of Internet radio stations

The Icecast streaming server is affected by a vulnerability, tracked as CVE-2018-18820, which could be exploited by an attacker to collapse the transmission of online radio stations, as reported by experts in digital forensics from the International Institute of Cyber Security. Icecast supports audio and video data and is maintained by the Xiph.org Foundation. Icecast is distributed under the GNU GPL, version 2; it can be used to create an Internet radio station or a privately run audio player, among many other functions.

The vulnerability was discovered by a digital forensics expert using LGTM, a software that analyses vulnerability verification codes.

“I discovered a vulnerability in Icecast, the open source streaming server maintained by the Xiph.org Foundation”, mentions the expert in his security notice.

“Attackers could create HTTP headers to overwrite the content of the server stack, leading to remote code execution. Since Icecast is commonly used to host Internet radio stations, exploiting this vulnerability could allow an attacker to leave an online radio station out of the air”.

The vulnerability affects Icecast servers running 2.4.0 versions to 2.4.3 and using URL authentication.

The digital forensics expert developed a vulnerability proof of concept that caused a segmentation failure in the server process that triggered a denial-of-service (DoS) condition. The expert noted that additional efforts could allow a persistent attacker to achieve complete remote code execution of the vulnerable system.

icacastbug

The Xiph.org Foundation experts quickly solved the vulnerability with minimal effort and an intelligent solution.

“Xiph’s digital forensics team repaired the error quickly, and the solution is quite simple. Simply check the return value of snprintf, and if you make Post_offset point beyond the end of the buffer, it logs an error and exits the loop”, the reminder continues.

Users should update Icecast to the 2.4.4 version shortly to mitigate any risk.