First published: Wed Jan 29 2020(Updated: )
A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.8.5.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Wowza Streaming Engine | <=4.8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-7656 is a privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier versions.
CVE-2019-7656 has a severity rating of 7.8 (high).
CVE-2019-7656 allows any unprivileged Linux user to escalate privileges to root on Wowza Streaming Engine 4.8.0 and earlier versions.
To fix CVE-2019-7656, you should ensure that the permissions on /usr/local/WowzaStreamingEngine/bin/* core program files are properly restricted.
More information about CVE-2019-7656 can be found in the provided references: [Reference 1](https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7656-PrivEscal-Wowza), [Reference 2](https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-7656.txt), [Reference 3](https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes)