Ava-290: vcore and vcloud vulnerable to denial-of-service attack

Release Date

22nd July 2020.

Overview

An attacker could cause a restart of the vcore HTTP server or the vcloud gateway by exploiting a vulnerability in the Go net/http package.

Affected Products

  • vcore: All Beta Upgrade Channel versions before 2.3.3.
  • vcore: All Stable Upgrade Channel versions before 2.3.4.
  • vcloud: All versions before 15th July 2020

Unaffected Products

  • vcore: All Beta Upgrade Channel versions after and including 2.3.3.
  • vcore: All Stable Upgrade Channel versions after and including 2.3.4.
  • vcam: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.3.3 and Stable Upgrade Channel version 2.3.4. It is strongly recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore WebUI. A fix was deployed to the vcloud on 15th July 2020. vcloud customers do not need to take any additional action.

Vulnerability Information

An attacker would be able to deny access to the vcore UI by repeatedly exploiting a race condition in the vcore HTTP server detailed in https://github.com/golang/go/issues/34902. However, the attack would need to be sustained and the attacker would not be able to control how often they could restart the HTTP server.

Acknowledgements

Issue found, and reported to the Go Team, by Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse.

Disclosure Timeline

  • 14/10/2019 Issue found by Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse
  • 14/07/2020 Fix identified
  • 15/07/2020 Patched vcloud released
  • 15/07/2020 Patched vcore 2.3.3 (Beta upgrade channel) released
  • 22/07/2020 Patched vcore 2.3.4 (Stable upgrade channel) released
  • 22/07/2020 Advisory published internally
  • 22/07/2020 Vulnerability publicly disclosed