Skip to content

Latest commit

 

History

History
108 lines (79 loc) · 5.95 KB

mitigations.md

File metadata and controls

108 lines (79 loc) · 5.95 KB

Mitigation Strategies Analysis for ffmpeg/ffmpeg

Mitigation Strategy: Strict Protocol Whitelisting

Mitigation Strategy: Strict Protocol Whitelisting

  • Description:

    1. Identify Required Protocols: Determine the absolute minimum set of protocols needed (e.g., file, pipe, http, https, rtsp, tcp).
    2. Use -protocol_whitelist: Use the -protocol_whitelist option followed by a comma-separated list of only the allowed protocols. Example: ffmpeg -protocol_whitelist file,pipe,http ...
    3. Avoid Dangerous Protocols: Completely avoid concat (demuxer), data, and glob if user input is involved.

  • List of Threats Mitigated:

    • Remote Code Execution (RCE) (Critical): Exploits using vulnerable protocols.
    • Server-Side Request Forgery (SSRF) (High): Unauthorized access to internal or external resources.
    • Information Disclosure (Medium): Leaking server information via protocols.
    • Denial of Service (DoS) (Medium): DoS attacks targeting specific protocols.

  • Impact:

    • RCE: Risk significantly reduced.
    • SSRF: Risk significantly reduced.
    • Information Disclosure: Risk reduced.
    • DoS: Risk partially reduced.

  • Currently Implemented:

    • Example: Implemented in the VideoProcessor class, process_video() method. Whitelist from config.ini.

  • Missing Implementation:

    • Example: Missing in the AudioConverter class (uses hardcoded command).

Mitigation Strategy: Disable Unnecessary Components

Mitigation Strategy: Disable Unnecessary Demuxers, Decoders, Encoders, Filters, and Bitstream Filters

  • Description:

    1. Identify Required Components: Determine the exact demuxers, decoders, encoders, filters, and bitstream filters needed.
    2. Disable Unneeded Components:
      • Codecs: -codec:v none, -codec:a none, etc. Force specific codecs: -c:v libx264.
      • Streams: -vn, -an, -sn.
      • Formats: -f mp4 ... -f avi ... (force input/output formats).
      • Filters: Minimize filter graph complexity. Avoid user-controlled filter parameters within the FFmpeg command.
      • Bitstream Filters: -bsf:v none, -bsf:a none.

  • List of Threats Mitigated:

    • Remote Code Execution (RCE) (Critical): Vulnerabilities in specific components.
    • Denial of Service (DoS) (Medium): DoS attacks targeting specific components.
    • Information Disclosure (Low): Information leaks from specific components.

  • Impact:

    • RCE: Risk significantly reduced.
    • DoS: Risk partially reduced.
    • Information Disclosure: Risk slightly reduced.

  • Currently Implemented:

    • Example: Partially. -vn used for audio-only files.

  • Missing Implementation:

    • Example: Full audit needed. Force specific codecs/encoders. Disable unused components via configuration. Review ImageProcessor.

Mitigation Strategy: FFmpeg-Specific Resource Limits

Mitigation Strategy: FFmpeg-Specific Resource Limits

  • Description:

    1. Use FFmpeg Options:
      • -re: Read input at native frame rate (prevents excessive CPU usage in some cases).
      • -fs <size>: Limit the output file size (e.g., -fs 100M).
      • -threads <number>: Control the number of threads FFmpeg uses. Start with a low number and increase only if necessary.
      • -max_muxing_queue_size <packets>: Limit the size of the muxing queue. This can help prevent memory exhaustion issues, especially with complex streams.
    2. Careful Codec/Option Selection: Choose codecs and options that are known to be efficient and less prone to resource exhaustion issues. Avoid overly complex configurations.

  • List of Threats Mitigated:

    • Denial of Service (DoS) (High): Prevents FFmpeg from consuming excessive resources.
    • Resource Exhaustion (Medium): Limits the impact of vulnerabilities.

  • Impact:

    • DoS: Risk reduced (limits resource consumption).
    • Resource Exhaustion: Risk reduced.

  • Currently Implemented:

    • Example: -re is used in some cases, but other options are not consistently applied.

  • Missing Implementation:

    • Example: -fs, -threads, and -max_muxing_queue_size should be considered and configured appropriately based on the application's needs and the expected input.

Mitigation Strategy: Controlled FFmpeg Logging

Mitigation Strategy: Controlled FFmpeg Logging

  • Description:

    1. Use -loglevel: Use the -loglevel option to control the verbosity of FFmpeg's output.
      • For production, use -loglevel warning or -loglevel error to log only significant issues.
      • For debugging, use -loglevel debug or -loglevel verbose (but never in production with user-supplied input).
    2. Avoid Excessive Logging with Untrusted Input: Never use high verbosity levels (debug, verbose) with untrusted input, as this could expose sensitive information or create vulnerabilities.

  • List of Threats Mitigated:

    • Information Disclosure (Medium): Prevents sensitive information from being logged.
    • Log Injection (Low): Reduces the risk of attackers injecting malicious data into logs.

  • Impact:

    • Information Disclosure: Risk reduced (limits what's logged).
    • Log Injection: Risk slightly reduced.

  • Currently Implemented:

    • Example: Basic FFmpeg output is logged, but -loglevel is not consistently used.

  • Missing Implementation:

    • Example: -loglevel should be set appropriately (warning/error in production, debug only for trusted testing).