Ava-294: unauthorized access to certain vcore APIs
27th July 2020.
A logged in vcore user could perform certain administrator-level actions using the vcore API without the appropriate permissions.
- vcore: All Beta Upgrade Channel versions before 2.3.5.
- vcore: All Stable Upgrade Channel versions before 2.3.6.
- vcore: All Beta Upgrade Channel versions after and including 2.3.5.
- vcore: All Stable Upgrade Channel versions after and including 2.3.6.
- vcloud: All versions
- vcam: All versions
This issue has been fixed in vcore Beta Upgrade Channel version 2.3.5 and Stable Upgrade Channel version 2.3.6.
We strongly recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible.
Releases are available to download through the vcore
We also recommend reviewing the permissions of all users and to check that no users have unknown public keys attached to their account.
Review a user's public keys by performing a HTTP GET request to
https://<vcore address>/api/v1/users/<userId>/keys. The response
body is a JSON list that should either be empty or contain only
trusted public keys. To remove a key, issue a HTTP DELETE request
Users could perform administrator-level actions using the vcore API without appropriate permissions. However, this can be mitigated by the fact that the user would need to be logged in and that vcore is typically deployed on private networks with a small number of user accounts.
- CVE: Pending
- CVSSv3.1 score: 9.9 (Critical)
- CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
If the vcore installation cannot be immediately upgraded to an unaffected version, we recommend locking all accounts except one trusted administrator account in order to limit the number of users that have access to the unauthorized APIs.
Issue found internally by Ava Security.
- 17/07/2020 Issue found internally by Ava Security
- 17/07/2020 Fix identified
- 21/07/2020 Patched vcore 2.3.5 (Beta upgrade channel) released
- 27/07/2020 Patched vcore 2.3.6 (Stable upgrade channel) released
- 27/07/2020 Advisory published internally
- 27/07/2020 Vulnerability publicly disclosed