Reference: Security advisories

Last modified: Monday March 20, 2023.

On occasion, Ava Security discover — or are advised of — potential vulnerabilities in the Avigilon Alta products. When such an issue is discovered or reported, Avigilon Alta work to investigate and, if valid, resolve the issue. After providing fixes for all vulnerable versions of the products, Avigilon Alta releases details of the issue.

2023 advisories

• Alta-Aware-784 Preliminary vulnerability advisory
• Ava-739 Preliminary vulnerability advisory
• Ava-732: Denial of service to Cloud Connector when adding a specific third party camera
• Ava-731: Permission bugs in Aware API endpoints
• Ava-728: Vulnerability in Go could cause a denial of service
• Ava-725: Ava Aware iOS app accepts self-signed SSL certificates for WebSocket connections
• Ava-723: Secrets not sanitized in downloadable audit logs in Aware

2022 advisories

• Ava-709 Preliminary vulnerability advisory
• Ava-705 Preliminary vulnerability advisory
• Ava-700 Golang vulnerabilities could cause Ava Aware to restart
• Ava-693 Users get alarm notifications on the Ava Aware iOS app even after signing out
• Ava-691: Golang DoS vulnerability in HTTP/2 connection closing
• Ava-689: Audio recorded even if disabled on devices for on-premise deployments
• Ava-688 Preliminary vulnerability advisory
• Ava-683: Possible to listen to live audio without unrestricted global audio settings
• Ava-675: Golang vulnerability could cause denial of service to Aware
• Ava-670: Users with admin permissions able to deny service to Ava camera and Aware
• Ava-661: Authenticated RTSP stream user could cause availability loss to Ava Aware
• Ava-658: Ava Aware would not validate certificates for on-premise access control systems
• Ava-657: Possibility for Ava Aware users to see ongoing sensor alarms for sites they lack permissions for
• Ava-636: Old credentials could still be used after being rotated on the Ava camera web UI
• Ava-633: External viewer video wall stream remains accessible after view is unshared
• Ava-631: SSH shell on Ava Aware and Camera did not timeout
• Ava-627: Possible to continue watching video outside specified range with external link
• Ava-625: Denial of service of Ava Aware Cloud by uploading large map
• Ava-622: Last IP address used value in external viewers table could be spoofed
• Ava-619: Ava products possibly vulnerable to denial of service or data tampering via TLS
• Ava-614: Encrypted footage cloud backup data encryption key appearing in audit logs
• Ava-609: Count rules could be deleted without the appropriate permissions
• Ava-602: Permissions not enforced for viewing video in Ava Aware
• Ava-601: Ava products vulnerable to denial of service attack
• Ava-589: Ava Aware servers could be claimed by other deployments

2021 advisories

• Ava-583: Webhook passwords appearing in Camera log bundle
• Ava-582: Webhook password appearing in audit logs
• Ava-581: Possible to retrieve the Disruptive Technologies service account key
• Ava-551: Maliciously crafted API request could deny service from Ava Aware
• Ava-549: Google Cloud Identity-Aware Proxy (IAP) issue impacting Ava Security Cloud Deployments
• Ava-540: Insufficient authorization of video backups
• Ava-537: Permissions not fully enforced when testing webhooks from Ava devices
• Ava-531: A malicious HTTP client could deny service to Ava Aware
• Ava-511: Aware iOS app persists data across user sessions
• Ava-507: External sharing links can lead to access to live video through thumbnail and timeline abuse
• Ava-504: Ava camera API does not enforce password strength server side
• Ava-486: A malicious server could deny service to Ava Aware during TLS handshake
• Ava-464: Unauthenticated access to Camera metrics
• Ava-460: Serial number could be leaked in man-in-the-middle attack
• Ava-451: Internal IP addresses information disclosure
• Ava-450 API Documentation Accessible to Unauthenticated Users
• Ava-449: Possible information disclosure from API
• Ava-441: Maliciously crafted API request could deny service from Ava Aware
• Ava-432: Denial of Service through large HTTP server response headers
• Ava-423: Insufficient authorization for reading partial camera credentials
• Ava-422: Camera verbose flag logs RTSP credentials
• Ava-420: Access to internal system components through API misuse
• Ava-418: Access to internal cloud components using Aware webhooks
• Ava-416: Escalation of privileges using Aware webhooks
• Ava-415 Aware guest users could view alarm information
• Ava-412: Permissions not enforced for empty rules and counting areas in Aware
• Ava-410: Aware user interface fails to update 'Access control' permissions
• Ava-407: Aware not enforcing permissions on maps API
• Ava-402: Possible to create Ava Aware Cloud deployment without authentication
• Ava-401: Specially crafted media streams can lead to DoS of Ava Aware

2020 advisories

• Ava-390: Video products vulnerable to unauthenticated denial-of-service attacks
• Ava-368: Permissions not enforced on certain Ava Aware APIs
• Ava-350: Ava Cloud user able to escalate their privileges on Ava Aware
• Ava-349: Denial of service vulnerability in Ava Aware on premise and Ava cameras
• Ava-345: Permissions not enforced for certain Ava Aware alarm APIs
• Ava-341: API missing cache control headers could lead to caching of sensitive information
• Ava-337: Hashed cloud backup password retrievable using the Ava Aware API
• Ava-335: DoS of Ava Aware via API
• Ava-330: Specially crafted bitstreams can lead to DoS of Ava Aware
• Ava-327: Insufficient authorization of timeline requests by Ava Aware guest users
• Ava-322: Specially crafted x.509 certificates can lead to DoS of all Ava Video products
• Ava-320: Permissions were not enforced for Ava Aware Counts rules
• Ava-318, Ava-319: Download of camera credentials without the appropriate permissions
• Ava-317: Video encryption key logged during video export
• Ava-311: Authenticated attacker can change description of cloud backups owned by different Ava Appliance
• Ava-299: Hash of API token published to subscribed users after creation
• Ava-298: unauthorized read of vcore webhooks API
• Ava-295: users could potentially be granted more privileges than shown in the user interface
• Ava-294: unauthorized access to certain vcore APIs
• Ava-293: unauthorized download of vcore camera credentials
• Ava-290: vcore and vcloud vulnerable to denial-of-service attack
• Ava-286: device source named proto locks up the device details page
• Ava-283: vcore database container image containing third party software with vulnerabilities
• Ava-272: vcam credentials logged when RTSP request fails
• Ava-269: vcam USB debug console not disabled
• Vaion-262: plaintext password in audit log when user changes their password
• Vaion-260: vcore gateway certificates revoked
• Vaion-257: vcore SSH server vulnerable to denial-of-service attack
• Vaion-255: Debug network port open on vcam
• Vaion-254: Camera credentials accessible via debug API
• Ava-216: Ava Aware used TLS 1.0 in connection to LDAP server