Ava-317: Video encryption key logged during video export

Release Date

11th November 2020.

Overview

The video encryption key was logged when exporting video.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions up to but not including 3.1.4
  • All Beta upgrade channel versions up to but not including 3.1.4

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions after and including 3.1.4
  • All Beta upgrade channel versions after and including 3.1.4
• Ava cloud: All versions
• Ava camera: All versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 3.1.4 and Stable upgrade channel version 3.1.4. We recommend that all Ava Aware installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.

Vulnerability Information

The video encryption key was logged when exporting video. However, it is not possible to exploit this to gain access to and decrypt video data without physical access to the server.

• CVE: Pending
• CVSSv3.1 score: 6.5 (Medium)
• CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Mitigations

This vulnerability can be mitigated by deleting the affected logs. Do this by connecting to the Ava Aware SSH console and executing the following command:

vplat# advanced clear-logs mgmt

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 09/11/2020 Issue found internally by Ava Security
• 09/11/2020 Fix identified
• 11/11/2020 Patched Ava Aware 3.1.4 (Beta upgrade channel) released
• 11/11/2020 Patched Ava Aware 3.1.4 (Stable upgrade channel) released
• 11/11/2020 Advisory published internally
• 11/11/2020 Vulnerability publicly disclosed