Ava-330: Specially crafted bitstreams can lead to DoS of Ava Aware

Release Date

26th November 2020.

Overview

Insufficient checks on media received by Ava Aware allow an attacker (such as a rogue camera or a MITM between an existing camera and Aware) to cause a crash loop, leading to a DoS of the server.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions up to but not including 3.1.6
  • All Beta upgrade channel versions up to but not including 3.2.2

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions from 3.1.6
  • All Beta upgrade channel versions from 3.2.2
• Ava Cloud: All versions
• Ava cameras: All versions

Resolution

This issue has been fixed in Beta upgrade channel version 3.2.2 and Stable upgrade channel version 3.1.6. We [strongly] recommend that all installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.

Vulnerability Information

• CVE: pending
• CVSSv3 score: 5.9 (Medium)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Mitigations

This vulnerability can be mitigated in Ava Aware by enforcing media encryption for all cameras.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 19/11/2020 Issue found internally by Ava Security
• 20/11/2020 Root cause established
• 23/11/2020 Fix identified
• 26/11/2020 Patched Ava Aware 3.2.2 (Beta upgrade channel) released
• 26/11/2020 Patched Ava Aware 3.1.6 (Stable upgrade channel) released
• 26/11/2020 Advisory published internally
• 26/11/2020 Vulnerability publicly disclosed