Ava-318, Ava-319: Download of camera credentials without the appropriate permissions

Release Date

11th November 2020

Overview

An authenticated Ava Aware user could download camera credentials using the Ava Aware API without the appropriate permissions.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions up to but not including 3.1.4
  • All Beta upgrade channel versions up to but not including 3.1.4

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions after and including 3.1.4
  • All Beta upgrade channel versions after and including 3.1.4
• Ava cloud: All versions
• Ava camera: All versions

Resolution

These issues have been fixed in Ava Aware Beta upgrade channel version 3.1.4 and Stable upgrade channel version 3.1.4. We strongly recommend that all Ava Aware installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface. If you have configured an external syslog server to receive Ava Aware logs we recommend performing an audit of logs matching the regular expression type="VIEW".*path="/api/v1/(credentials|devices/.*/credentials)" to verify that only users that are expected to be able to view credentials have used the vulnerable APIs. If you are not confident that you have retained all audit logs we recommend changing the passwords of all configured credentials and all connected cameras.

Vulnerability Information

An authenticated Ava Aware user could download camera credentials using the Ava Aware API without the appropriate permissions. However, this can be mitigated by the fact that cameras are typically deployed on private networks so an attacker should have limited access to the cameras.

• CVE: Pending
• CVSSv3.1 score: 9.9 (Critical)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Acknowledgements

Issues found internally by Ava Security.

Disclosure Timeline

• 09/11/2020 Issues found internally by Ava Security
• 09/11/2020 Fix identified
• 11/11/2020 Patched Ava Aware 3.1.4 (Beta upgrade channel) released
• 11/11/2020 Patched Ava Aware 3.1.4 (Stable upgrade channel) released
• 11/11/2020 Advisory published internally
• 11/11/2020 Vulnerability publicly disclosed