Vaion-254: Camera credentials accessible via debug API
14th February 2020.
Passwords used by vcore to authenticate with cameras were inadvertently returned in cleartext through a debug API, protected by TLS. These passwords were also uploaded as part of usage statistics to vcloud.
- vcore: Up to and including 1.4.
- vcloud: Up to 7th February 2020.
- vcam: All versions.
After discovering the vulnerability, the usage statistics containing camera credentials were deleted from vcloud. Only vcloud operators could have viewed these credentials. A fix was deployed to vcloud on 7th February 2020. This issue has been fixed in vcore version 1.4.1. It is recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible. We recommend that all Vaion customers rotate their camera credentials.
Since the camera credentials are typically accessible to a user of vcore we believe most deployments would not have given anyone greater access. In many deployments cameras are typically accessible only over a local network which may mitigate this impact in your deployment.
- CVE: Pending
- CVSSv3 score: 8.7 High
- CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H/E:H/RL:O/RC:C
Issue found internally by Vaion.
- 05/02/2020 Issue found internally by Vaion
- 05/02/2020 Root cause established
- 05/02/2020 Fix identified
- 07/02/2020 Patched vcloud released
- 14/02/2020 Patched vcore released
- 14/02/2020 Vulnerability publicly disclosed