Alta Aware — 1055: MITM vulnerability in golang.org/x/crypto/ssh package
Release Date
2nd April 2024.
Overview
Version v0.17.0 of golang.org/x/crypto fixes a protocol weakness in the golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise the integrity of the secure channel before it was established, allowing them to prevent transmission of a number of messages immediately after the secure channel was established without either side being aware.
Affected Products
- Ava Aware:
- All Stable upgrade channel versions before 6.5.5.
- All Beta upgrade channel versions before 6.5.3.
- Ava Cameras:
- All Stable upgrade Channel versions before 6.5.5.
- All Beta upgrade channel versions before 6.5.3.
Unaffected Products
- Ava Aware:
- All Stable upgrade channel versions after and including 6.5.5.
- All Beta upgrade channel versions after and including 6.5.5.
- Ava Cameras:
- All Stable upgrade channel versions after and including 6.5.5.
- All Beta upgrade channel versions after and including 6.5.3.
- Ava Cloud: all versions.
Resolution
This issue has been fixed in Ava Aware Beta upgrade channel version 6.5.3 and Stable upgrade channel version 6.5.5.
It is *strongly recommended* that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download through the [Alta Aware User Interface](https://aware.docs.alta.avigilon.com/en/Products/aware/appliances/manageappliances7.htm).
Vulnerability Information
- CVE: CVE-2023-48795
- CVSSv3 score: 5.9 (Medium)
- CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Mitigations
There are no known mitigations for this issue.
Work arounds
There are no known work arounds for this issue.
Acknowledgements
Issue reported by the Go team.
Disclosure Timeline
- 18/12/2023 Issue found
- 18/12/2023 Root cause established
- 19/12/2023 Fix identified
- 03/01/2024 Patched Alta Video (Beta upgrade channel) released
- 22/01/2024 Patched Alta Video (Stable upgrade channel) released
- 03/01/2024 Patched Alta Cameras (Beta upgrade channel) released
- 22/01/2024 Patched Alta Cameras (Stable upgrade channel) released
- 02/04/2024 Vulnerability publicly disclosed