Alta Video — 1723: Unhandled exception when parsing malformed certificates

Release Date

2nd of May 2025.

Overview

A vulnerability was discovered in the Android WebRTC code's TLS certificate verification. This could have allowed a malformed certificate from a malicious server or man-in-the-middle attacker to cause the Android application to crash.

Affected Products

• Alta Video:
  • Android app versions before 3.9.0

Unaffected Products

• Alta Video:

  • All Android app versions after and including 3.9.0.
  • All iOS app versions
  • All Web client versions

• Avigilon Cloud-Native Cameras: all versions.

• Alta Video Cloud: all versions.

Resolution

This issue has been fixed in version 3.9.0 of the Android app.

It is recommended that all users running an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through the Google Play Store.

Vulnerability Information

• CVSSv3 score: 3.7 (Low)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue reported by an external pentest.

Disclosure Timeline

• 02/12/2024 Issue found
• 04/12/2024 Root cause established
• 04/12/2024 Fix identified
• 10/12/2024 Patched version of the Android app released
• 02/05/2025 Vulnerability publicly disclosed