Ava-311: Authenticated attacker can change description of cloud backups owned by different Ava Appliance

Release Date

15th October 2020.

Overview

An attacker authenticated as an Ava Appliance can update the description of a cloud backup owned by a different appliance.

Affected Products

• Ava cloud: All versions before 12th October 2020.

Unaffected Products

• Ava Aware: All versions.
• Ava camera: All versions.
• Ava cloud: All versions after and including 12th October 2020.

Resolution

This issue has been fixed in Ava cloud from 12th October 2020. No action is required by Ava Appliance users.

Vulnerability Information

This vulnerability only allows an attacker to update the description of a backup and does not allow the attacker to download a backup or delete a backup. This vulnerability is also mitigated by the fact that the attacker would need the identifier of a cloud backup owned by a different Ava Appliance which cannot be found easily due to a large search space and rate limiting in the Ava cloud API.

• CVE: Pending
• CVSSv3.1 score: 4.3 (Medium)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 09/10/2020 Issue found internally by Ava Security
• 09/10/2020 Fix identified
• 12/10/2020 Patched Ava cloud released
• 15/10/2020 Advisory published internally
• 15/10/2020 Vulnerability publicly disclosed