Alta Aware — 1150: Denial of service in Golang's http package (HPACK)

Release Date

7th May 2024.

Overview

Due to lack of a proper limit on the amount of excess header frames before closing a connection when the HPACK state was maintained, a denial of service could be mounted due to high memory consumption in the Golang `net/http` package.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions before 6.7.6.
  • All Beta upgrade channel versions before 6.8.1.
• Ava Cameras:
  • All Stable upgrade Channel versions before 6.8.6.
  • All Beta upgrade channel versions before 6.8.1.
• Ava Cloud: before 11th April 2024.

Unaffected Products

• Ava Aware:

  • All Stable upgrade channel versions after and including 6.7.6.
  • All Beta upgrade channel versions after and including 6.8.1.

• Ava Cameras:

  • All Stable upgrade channel versions after and including 6.7.6.
  • All Beta upgrade channel versions after and including 6.8.1.

• Ava Cloud: from 11th April 2024

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 6.8.1 and Stable upgrade channel version 6.7.6.

It is strongly recommended that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download through the Alta Aware user interface.

A fix was deployed to the Alta Cloud on 11th April 2024. Alt Cloud customers do not need to take any additional action.

This issue has been fixed in Alta camera Beta upgrade channel version 6.8.1 and Stable upgrade channel version 6.7.6.

It is highly recommended that all Avigilon Ava and Avigilon Alta cameras running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Alta Aware user interface for Avigilon Ava adn Avigilon Alta managed cameras and the Avigilon Ava and Avigilon Alta camera user interface for unmanaged Avigilon Ava and Avigilon Alta cameras.

Vulnerability Information

• CVE: CVE-2023-45288.
• CVSSv3 score: 5.3 (Medium)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found and reported by the Go team.

Disclosure Timeline

• 03/04/2024 Issue found
• 03/04/2024 Root cause established
• 04/04/2024 Fix identified
• 11/04/2024 Patched Alta Cloud released
• 09/04/2024 Patched Alta Video (Beta upgrade channel) released
• 10/04/2024 Patched Alta Video (Stable upgrade channel) released
• 09/04/2024 Patched Alta cameras (Beta upgrade channel) released
• 10/04/2024 Patched Alta cameras (Stable upgrade channel) released
• 07/05/2024 Vulnerability publicly disclosed