Ava-295: users could potentially be granted more privileges than shown in the user interface

Release Date

27th July 2020.

Overview

A user with an Administrator global role, by default has all permissions for all of the tools available in vcore. Any global role created by duplicating the Administrator global role will grant all permissions for a given tool, despite modifying the individual permissions associated with it. Subsequent global roles created by duplicating such roles will also have the same problem. The user interface does not give any indication that all permissions have been enabled for some tools, for these global roles.

Affected Products

• Vaion vcore: All Beta Upgrade Channel versions before 2.4.0
• Vaion vcore: All Stable Upgrade Channel versions before 2.3.6

Unaffected Products

• Vaion vcore: All Beta Upgrade Channel versions after and including 2.4.0
• Vaion vcore: All Stable Upgrade Channel versions after and including 2.3.6
• Vaion vcam: All versions
• Vaion vcloud: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.4.0 and Stable Upgrade Channel version 2.3.6. We strongly recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible. ​ After upgrading to the latest vcore version, users are advised to take the following actions:

1. Select the Users tool and click User groups.
2. For each User Group in turn, click on the settings cog next to Global roles.
3. For each Global role that has been defined, ensure that the All permissions toggles are not enabled for any Global roles that do not need this level of permissions.​

Vulnerability Information

Due to the vulnerability, any users who have been assigned global roles created by duplicating existing roles will be able to access more resources than indicated in the user interface. An external attacker will not be able to exploit this vulnerability without the involvement of an authenticated user.

• CVE: Pending
• CVSSv3 score: 6.4 (Medium)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 20/07/2020 Issue found internally by Ava Security
• 21/07/2020 Fix identified
• 27/07/2020 Patched vcore 2.4.0 (Beta upgrade channel) released
• 27/07/2020 Patched vcore 2.3.6 (Stable upgrade channel) released
• 27/07/2020 Advisory published internally
• 27/07/2020 Vulnerability publicly disclosed​