Vaion-254: Camera credentials accessible via debug API

Release Date

14th February 2020.

Overview

Passwords used by vcore to authenticate with cameras were inadvertently returned in cleartext through a debug API, protected by TLS. These passwords were also uploaded as part of usage statistics to vcloud.

Affected Products

• vcore: Up to and including 1.4.
• vcloud: Up to 7th February 2020.

Unaffected Products

• vcam: All versions.

Resolution

After discovering the vulnerability, the usage statistics containing camera credentials were deleted from vcloud. Only vcloud operators could have viewed these credentials. A fix was deployed to vcloud on 7th February 2020. This issue has been fixed in vcore version 1.4.1. It is recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible. We recommend that all Vaion customers rotate their camera credentials.

Vulnerability Information

Since the camera credentials are typically accessible to a user of vcore we believe most deployments would not have given anyone greater access. In many deployments cameras are typically accessible only over a local network which may mitigate this impact in your deployment.

• CVE: Pending
• CVSSv3 score: 8.7 High
• CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H/E:H/RL:O/RC:C

Acknowledgements

Issue found internally by Vaion.

Disclosure Timeline

• 05/02/2020 Issue found internally by Vaion
• 05/02/2020 Root cause established
• 05/02/2020 Fix identified
• 07/02/2020 Patched vcloud released
• 14/02/2020 Patched vcore released
• 14/02/2020 Vulnerability publicly disclosed