Ava-293: unauthorized download of vcore camera credentials

Release Date

27th July 2020.

Overview

A logged in vcore user could download the configured camera credentials without the appropriate permissions.

Affected Products

• vcore: All Beta Upgrade Channel versions before 2.3.5.
• vcore: All Stable Upgrade Channel versions before 2.3.6.

Unaffected Products

• vcore: All Beta Upgrade Channel versions after and including 2.3.5.
• vcore: All Stable Upgrade Channel versions after and including 2.3.6.
• vcloud: All versions
• vcam: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.3.5 and Stable Upgrade Channel version 2.3.6. We strongly recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore User Interface. We also recommend changing the passwords of all configured credentials and all connected cameras.

Vulnerability Information

A logged in vcore user could download the configured camera credentials without the appropriate permissions via the vcore API and User Interface. However, this can be mitigated by the fact that cameras are typically deployed on private networks so an attacker should have limited access to the cameras.

• CVE: Pending
• CVSSv3.1 score: 7.7 (High)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 17/07/2020 Issue found internally by Ava Security
• 17/07/2020 Fix identified
• 21/07/2020 Patched vcore 2.3.5 (Beta upgrade channel) released
• 27/07/2020 Patched vcore 2.3.6 (Stable upgrade channel) released
• 27/07/2020 Advisory published internally
• 27/07/2020 Vulnerability publicly disclosed