Ava-322: Specially crafted x.509 certificates can lead to DoS of all Ava Video products

Release Date

18th November 2020.

Overview

A vulnerability in the underlying math/big package used by various Go programming language cryptographic packages can cause a panic when parsing a specially crafted x.509 certificate. The Aware on-premise appliance and the Ava Aware Cloud gateway could be vulnerable to a denial of service (DoS) if an attacker connects to it using such a certificate. If the attacker was to send many requests in short succession this may impact the ability of the appliance to serve valid connections. The Ava cameras, Aware Cloud and Aware on-premise appliances are also vulnerable to a denial of service if they connect to attacker-controlled endpoints.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions up to but not including 3.1.5
  • All Beta upgrade channel versions up to but not including 3.2.1
• Ava cameras:
  • All Stable upgrade channel versions up to but not including 3.1.5
  • All Beta upgrade channel versions up to but not including 3.2.1
• Ava Cloud: all versions before 16th November 2020

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions after and including 3.1.5
  • All Beta upgrade channel versions after and including 3.2.1
• Ava cameras:
  • All Stable upgrade channel versions after and including 3.1.5
  • All Beta upgrade channel versions after and including 3.2.1
• Ava Cloud: all versions after 16th November 2020

Resolution

This issue has been fixed in the product versions mentioned above. It is strongly recommended that all on-premises deployments running an affected version upgrade to the latest version as soon as possible.

Vulnerability Information

• CVE: CVE-2020-28362
• CVSSv3 score: 7.5 (High)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H There are no known mitigations or workarounds to this issue.

Acknowledgements

Issue found, and reported to the Go team, by Go Ethereum team and the OSS-Fuzz project.

Disclosure Timeline

• DD/MM/YYYY (date unknown) Issue found by the Go Ethereum team and the OSS-Fuzz project
• 12/11/2020 Patched Go language version released
• 16/11/2020 Patched Aware Cloud
• 18/11/2020 Patched Aware on-premise released
• 18/11/2020 Patched Aware Cameras released
• 18/11/2020 Advisory published internally
• 18/11/2020 Vulnerability publicly disclosed