Alta Video —1683: security vulnerabilities in the WebRTC library

Release Date

10th of January 2025

Overview

Multiple vulnerabilities have been disclosed by the vendor of the WebRTC library, that could affect the confidentiality, integrity, and availability of the Aware Android & iOS apps.

Affected Products

• Alta Video:
  • Android app versions before 3.9.0
  • iOS app versions before 3.9.0

Unaffected Products

• Alta Video:

  • All Android app versions after and including 3.9.0.
  • All iOS app versions after and including 3.9.0.
  • All Web client versions

• Avigilon Cloud-Native Cameras:

  • All versions

• Alta Video Cloud: All versions

Resolution

This issue has been fixed in version 3.9.0 of the Aware Android & iOS apps.

It is recommended that all users running an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through the Google Play Store or the App Store.

Vulnerability Information

• CVE: CVE-2023-6705, CVE-2023-7024, CVE-2024-10488, CVE-2024-3170, CVE-2024-4764 & CVE-2024-5493
• CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issues reported by the vendor of the library

Disclosure Timeline

• 29/11/2024 Fix identified
• 10/12/2024 Patched versions of the Android & iOS apps released
• 10/01/2025 Vulnerability publicly disclosed