Ava-294: unauthorized access to certain vcore APIs

Release Date

27th July 2020.

Overview

A logged in vcore user could perform certain administrator-level actions using the vcore API without the appropriate permissions.

Affected Products

• vcore: All Beta Upgrade Channel versions before 2.3.5.
• vcore: All Stable Upgrade Channel versions before 2.3.6.

Unaffected Products

• vcore: All Beta Upgrade Channel versions after and including 2.3.5.
• vcore: All Stable Upgrade Channel versions after and including 2.3.6.
• vcloud: All versions
• vcam: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.3.5 and Stable Upgrade Channel version 2.3.6. We strongly recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore User Interface. We also recommend reviewing the permissions of all users and to check that no users have unknown public keys attached to their account. Review a user's public keys by performing a HTTP GET request to https://<vcore address>/api/v1/users/<userId>/keys. The response body is a JSON list that should either be empty or contain only trusted public keys. To remove a key, issue a HTTP DELETE request to https://<vcore address>/api/v1/users/<userId>/keys/<id>.

Vulnerability Information

Users could perform administrator-level actions using the vcore API without appropriate permissions. However, this can be mitigated by the fact that the user would need to be logged in and that vcore is typically deployed on private networks with a small number of user accounts.

• CVE: Pending
• CVSSv3.1 score: 9.9 (Critical)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Mitigations

If the vcore installation cannot be immediately upgraded to an unaffected version, we recommend locking all accounts except one trusted administrator account in order to limit the number of users that have access to the unauthorized APIs.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 17/07/2020 Issue found internally by Ava Security
• 17/07/2020 Fix identified
• 21/07/2020 Patched vcore 2.3.5 (Beta upgrade channel) released
• 27/07/2020 Patched vcore 2.3.6 (Stable upgrade channel) released
• 27/07/2020 Advisory published internally
• 27/07/2020 Vulnerability publicly disclosed