Ava-337: Hashed cloud backup password retrievable using the Ava Aware API

Release Date

18th December 2020.

Overview

An authenticated user can make an API request to retrieve a hashed version of the cloud backup password. The hash is used to encrypt the backup that is uploaded to Ava Cloud. However, this is mitigated by the fact that the vulnerability cannot be used to download the backup. The backup can only be downloaded by the Ava Aware deployment which made the backup and downloading the backup requires administrator privileges from the Ava Aware user. The password is only used for cloud backups and is not related to any user accounts.

Affected Products

• Ava Aware: Beta upgrade channel versions 3.3.0 and 3.3.1

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions.
  • All Beta upgrade channel versions after and including 3.3.2.
• Ava cameras: All versions
• Ava Cloud: All versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 3.3.2. We highly recommend that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.

Vulnerability Information

• CVE: Pending
• CVSSv3 score: 8.1 (High)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Mitigations

We recommend that you perform the following steps to mitigate this issue:

1. Change the backup password.
2. Delete the old backups.
3. Perform a new backup.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 04/12/2020 Issue found internally by Ava Security
• 17/12/2020 Root cause established
• 17/12/2020 Fix identified
• 18/12/2020 Patched Ava Aware (Beta upgrade channel) released
• 18/12/2020 Advisory published internally
• 18/12/2020 Vulnerability publicly disclosed