Ava-327: Insufficient authorization of timeline requests by Ava Aware guest users

Release Date

2nd December 2020.

Overview

Users that accessed Ava Aware through a shared link could retrieve timeline information they were not permitted to view using the API. The information that an attacker could access was limited to the time ranges that had been shared for at least one camera in the shared link and was limited to the cameras that were shared in the shared link. In the following examples t1, t2, t3, and t4 are timestamps where t1 < t2 < t3 < t4. Example A: if the time range t1 to t2 was shared for camera C1 and the time range t3 to t4 was shared for camera C2, then the time ranges t1 to t2 and t3 to t4 would be accessible for both C1 and C2. Example B: if the time range t1 to t3 was shared for camera C1 and the time range t2 to t4 was shared for camera C2 then the time range t1 to t4 would be accessible for both C1 and C2.

Affected Products

• Ava Aware:
• All Stable Upgrade Channel versions before 3.2.3.
• All Beta Upgrade Channel versions before 3.2.3.

Unaffected Products

• Ava Aware:
• All Stable Upgrade Channel versions after and including 3.2.3.
• All Beta Upgrade Channel versions after and including 3.2.3.
• Ava cameras: All versions
• Ava Cloud: All versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 3.2.3 and Stable upgrade channel version 3.2.3. We recommend that all installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.

Vulnerability Information

• CVE: Pending
• CVSSv3 score: 4.3 (Medium)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Mitigations

There are no known mitigations for this issue.

Work arounds

The work around for this issue is to only share one camera per shared link.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 19/11/2020 Issue found internally by Ava Security
• 19/11/2020 Root cause established
• 01/12/2020 Fix identified
• 02/12/2020 Patched Ava Aware (Beta upgrade channel) released
• 02/12/2020 Patched Ava Aware (Stable upgrade channel) released
• 02/12/2020 Advisory published internally
• 02/12/2020 Vulnerability publicly disclosed