Ava-402: Possible to create Ava Aware Cloud deployment without authentication

Release Date

2nd March 2021.

Overview

A vulnerability in Ava Cloud made it possible for an unauthenticated attacker to create Ava Aware Cloud deployments. This could prevent legitimate users from creating Ava Aware Cloud deployments and deny access to existing deployments.

Affected Products

• Ava Cloud: After 30th September 2020 but before 2nd March 2021.

Unaffected Products

• Ava Aware: All versions.
• Ava cameras: All versions.
• Ava Cloud: From 2nd March 2021.

Resolution

A fix was deployed to the Ava Cloud on 2nd March 2021. Ava Cloud customers do not need to take any additional action.

Vulnerability Information

• CVE: Pending
• CVSSv3 score: 8.6 (High)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 25/02/2021 Issue found internally by Ava Security
• 25/02/2021 Root cause established
• 25/02/2021 Fix identified
• 02/03/2021 Patched Ava Cloud released
• 02/03/2021 Advisory published internally
• 02/03/2021 Vulnerability publicly disclosed