Ava-317: Video encryption key logged during video export
11th November 2020.
The video encryption key was logged when exporting video.
- Ava Aware:
- All Stable upgrade channel versions up to but not including 3.1.4
- All Beta upgrade channel versions up to but not including 3.1.4
- Ava Aware:
- All Stable upgrade channel versions after and including 3.1.4
- All Beta upgrade channel versions after and including 3.1.4
- Ava cloud: All versions
- Ava camera: All versions
This issue has been fixed in Ava Aware Beta upgrade channel version 3.1.4 and Stable upgrade channel version 3.1.4. We recommend that all Ava Aware installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.
The video encryption key was logged when exporting video. However, it is not possible to exploit this to gain access to and decrypt video data without physical access to the server.
- CVE: Pending
- CVSSv3.1 score: 6.5 (Medium)
- CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
This vulnerability can be mitigated by deleting the affected logs. Do this by connecting to the Ava Aware SSH console and executing the following command:
vplat# advanced clear-logs mgmt
Issue found internally by Ava Security.
- 09/11/2020 Issue found internally by Ava Security
- 09/11/2020 Fix identified
- 11/11/2020 Patched Ava Aware 3.1.4 (Beta upgrade channel) released
- 11/11/2020 Patched Ava Aware 3.1.4 (Stable upgrade channel) released
- 11/11/2020 Advisory published internally
- 11/11/2020 Vulnerability publicly disclosed