Ava-272: vcam credentials logged when RTSP request fails

Release Date

22nd July 2020.

Overview

When an RTSP request made to vcam fails, the request, including the authorization header, is logged. This means vcam credentials will be stored in the logs.

Affected Products

• vcam: All Beta Upgrade Channel versions before 1.3.0.
• vcam: All Stable Upgrade Channel versions before 1.3.1.

Unaffected Products

• vcore: All versions.
• vcloud: All versions.

Resolution

This issue has been fixed in vcam version 1.3.0 on the Beta Upgrade Channel, and version 1.3.1 on the Stable Upgrade Channel.

We recommend that all vcam installations running an affected version upgrade to the latest release as soon as possible. See How to: Set the Vaion vcam System settings locally or How to: Upgrade your Vaion vcam devices from vcore.

Vulnerability Information

For this vulnerability to be exploitable, an attacker must acquire the logs. Logs are obtainable both through vcam, and vcore if vcam is added to vcore, but require valid credentials for vcam and vcore respectively.

• CVE: Pending
• CVSSv3 score: 7.2 High
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Mitigations

This vulnerability can be mitigated by changing the passwords for vcams.

The applied patch will sanitise existing logs to censor the described credentials information, if any, so no action is required by the user with regards to the logs.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 08/06/2020 Issue found internally by Ava Security
• 08/06/2020 Fix identified
• 02/07/2020 Patched vcam 1.3.0 (Beta Upgrade Channel) released
• 22/07/2020 Patched vcam 1.3.1 (Stable Upgrade Channel) released
• 22/07/2020 Advisory published internally
• 22/07/2020 Vulnerability publicly disclosed