Ava-299: Hash of API token published to subscribed users after creation

Release Date

17th August 2020.

Overview

A logged in vcore user could subscribe to API token creation events using the vcore API and receive the SHA512 hash of tokens created by other users.

Affected Products

  • vcore: All Beta Upgrade Channel versions before 2.4.2.
  • vcore: All Stable Upgrade Channel versions before 2.4.2.

Unaffected Products

  • vcore: All Beta Upgrade Channel versions after and including 2.4.2.
  • vcore: All Stable Upgrade Channel versions after and including 2.4.2.
  • vcloud: All versions
  • vcam: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.4.2 and Stable Upgrade Channel version 2.4.2. We recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore User Interface.

Vulnerability Information

A logged in vcore user could subscribe to API token creation events using the vcore API and receive the SHA512 hash of tokens created by other users. However, it is not possible to retrieve the token hash after the token has been created which means that the attacker needs to listen for the event when another user creates an API token to learn the hash. If the attacker does obtain a token hash they would not be able to reverse it.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

  • 11/08/2020 Issue found internally by Ava Security
  • 11/08/2020 Fix identified
  • 14/08/2020 Patched vcore 2.4.2 (Beta upgrade channel) released
  • 17/08/2020 Patched vcore 2.4.2 (Stable upgrade channel) released
  • 17/08/2020 Advisory published internally
  • 17/08/2020 Vulnerability publicly disclosed