Ava-460: Serial number could be leaked in man-in-the-middle attack

Ava-460: Serial number could be leaked in man-in-the-middle attack

Release Date

14th March 2022.

Overview

Under specific video streaming circumstances the Aware instance serial number may be leaked during the Ava Smart Path negotiation.

Affected Products

Ava Cloud: before 28th June 2021.

Unaffected Products

Ava Aware: all versions.
Ava cameras: all versions.
Ava Cloud: from 28th June 2021.

Resolution

A fix was deployed to the Ava Cloud on 28th June 2021. Ava Cloud customers do not need to take any additional action.

Vulnerability Information

CVE: pending
CVSSv3 score: 3.1 (Low)
CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

17/06/2021 Issue found internally by Ava Security
17/06/2021 Root cause established
17/06/2021 Fix identified
28/06/2021 Patched Ava Cloud released
14/03/2022 Vulnerability publicly disclosed

Avigilon Privacy Statement

Copyright © 2024, Motorola Solutions, Inc.