Ava-272: vcam credentials logged when RTSP request fails
22nd July 2020.
When an RTSP request made to vcam fails, the request, including the authorization header, is logged. This means vcam credentials will be stored in the logs.
- vcam: All Beta Upgrade Channel versions before 1.3.0.
- vcam: All Stable Upgrade Channel versions before 1.3.1.
- vcore: All versions.
- vcloud: All versions.
This issue has been fixed in vcam version 1.3.0 on the Beta Upgrade Channel, and version 1.3.1 on the Stable Upgrade Channel.
We recommend that all vcam installations running an affected version upgrade to the latest release as soon as possible. See How to: Set the Vaion vcam System settings locally or How to: Upgrade your Vaion vcam devices from vcore.
For this vulnerability to be exploitable, an attacker must acquire the logs. Logs are obtainable both through vcam, and vcore if vcam is added to vcore, but require valid credentials for vcam and vcore respectively.
- CVE: Pending
- CVSSv3 score: 7.2 High
- CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
This vulnerability can be mitigated by changing the passwords for vcams.
The applied patch will sanitise existing logs to censor the described credentials information, if any, so no action is required by the user with regards to the logs.
Issue found internally by Ava Security.
- 08/06/2020 Issue found internally by Ava Security
- 08/06/2020 Fix identified
- 02/07/2020 Patched vcam 1.3.0 (Beta Upgrade Channel) released
- 22/07/2020 Patched vcam 1.3.1 (Stable Upgrade Channel) released
- 22/07/2020 Advisory published internally
- 22/07/2020 Vulnerability publicly disclosed