Ava-350: Ava Cloud user able to escalate their privileges on Ava Aware

Release Date

18th December 2020.

Overview

An Ava Aware user that enters deployment via Ava Cloud could escalate their privileges to gain administrator access on the Ava Aware instance. This only affects Ava Appliance deployments with "Allow DMP access to this deployment" enabled and Ava Aware Cloud deployments with "Ava aware access via DMP" enabled.

Affected Products

• Ava Aware:
  • All Stable upgrade channel versions before 3.2.5.
  • All Beta upgrade channel versions before 3.3.2.

Unaffected Products

• Ava Aware:
  • All Stable upgrade channel versions after and including 3.2.5.
  • All Beta upgrade channel versions after and including 3.3.2.
• Ava cameras: All versions
• Ava Cloud: All versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 3.3.2 and Stable upgrade channel version 3.2.5. It is crucial that all installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface. We recommend performing an audit of logs matching the regular expression type="MODIFY".*path="/api/v1/config" to verify that only users with administrator privileges have used the vulnerable API. If "Allow DMP access to this deployment" is enabled on your Ava Appliance deployment, we recommend that you verify that the "DMP users belong to" setting is correct. The setting is found in the "Ava Cloud" settings in the Appliances tool. If "Ava aware access via DMP" is enabled on your Ava Aware Cloud deployment, we recommend that you verify that the "User group for DMP users" setting is correct. The setting is found in the "DMP access" tab in the System settings.

Vulnerability Information

• CVE: Pending
• CVSSv3 score: 9.9 (Critical)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

The work around to this issue is to disable "Allow DMP access to this deployment" for Ava Appliance deployments and disable "Ava aware access via DMP" for Ava Aware Cloud deployments.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 17/12/2020 Issue found internally by Ava Security
• 17/12/2020 Root cause established
• 17/12/2020 Fix identified
• 18/12/2020 Patched Ava Aware (Beta upgrade channel) released
• 18/12/2020 Patched Ava Aware (Stable upgrade channel) released
• 18/12/2020 Advisory published internally
• 18/12/2020 Vulnerability publicly disclosed