Reference: Security advisories

Last modified: Monday July 08, 2024.

On occasion, Avigilon Alta discover — or are advised of — potential vulnerabilities in the products. When such an issue is discovered or reported, Avigilon Alta work to investigate and, if valid, resolve the issue. After providing fixes for all vulnerable versions of the products, Avigilon Alta releases details of the issue.

2024 advisories

• Alta Video — 1571 Preliminary vulnerability advisory
• Alta Aware — 1150: Denial of service in Golang's http package (HPACK)
• Alta Aware — 1146: Audio permission not enforced for external link
• Alta Aware — 1116: protobuf bug in encoding/protojson could lead to infinite loop in Unmarshal function
• Alta Aware — 1115: Golang vulnerabilities in crypto/x509, net/http, html/template, and net/mail
• Alta Aware — 1087: Alta Cloud Connector could panic if exporting stored MJPEG video
• Alta Aware — 1086: Cloud Connector: panic in audio resampler
• Alta Aware — 1083: Unhandled panic when handling paths with non-UTF-8 characters
• Alta Aware — 1055: MITM vulnerability in golang.org/x/crypto/ssh package
• Alta Aware — 1012: Golang security vulnerabilities in net/http and cmd/go
• Alta Aware — 995: Concurrency bugs (missing unlocks) could lead to loss of availability or integrity
• Alta Aware — 950: Alta camera DoS via download of an arbitrarily sized upgrade file
• Alta Aware — 934: Linux kernel IPv6 hash collisions possible on the Alta Cloud Connector
• Alta Aware — 929: cmd/go: line directives allows arbitrary execution during build
• Alta Aware — 881: protobuf-cpp denial of service vulnerability
• Alta Aware — 859: Zip path traversal (aka zip slip) on Alta Cloud Connector
• Alta Aware — 740: Aware sensor webhook included secret in URL
• Alta Aware — 739: Aware bookmark guest tokens and password reset URLs logged
• Alta Aware — 635: External Viewer wall still showed video after video view was deleted
• Alta Aware — 632: External Viewer wall still showed video after user was deleted
• Alta Aware — 405: Ava Aware users could receive websocket updates for default views of other users

2023 advisories

• Alta-Aware-932 Vulnerability in the Go x/net/http2 package
• Alta-Aware-908: Vulnerability in the Go cmd/go package
• Alta-Aware-893 Vulnerability in golang.org/x/net could lead to XSS
• Alta-Aware-875 Ava Cloud API denial of service vulnerability
• Alta-Aware-870 Vulnerability in the Go net/http package due to insufficient sanitization of Host header
• Alta-Aware-863 Ava Aware vulnerable to cross-origin reads
• Alta-Aware 856 Ava Aware web interface regular expression DoS due a vulnerability in luxon
• Alta-Aware-838 Vulnerabilities in the containerd and the docker/distribution Golang packages
• Alta-Aware-829: RSA key pairs were generated with a 1024-bit modulus
• Alta-Aware-790 Vulnerabilities in Go before 1.20.3 and 1.19.8 could cause denial of service
• Alta-Aware-788 Deleting device stream manually could cause Ava Aware to restart
• Alta-Aware-784 Cloud backup credential appeared in logs
• Alta-Aware-778 Potential for command injection via Ava Flex WiFi parameters
• Alta-Aware-776 Ava Aware could be made to restart
• Alta-Aware-765 CSRF risk due to insufficient Origin header validation and CORS misconfiguration
• Alta-Aware-763 Vulnerabilities in Go could cause a denial of service
• Alta-Aware-758 Linux kernel BT subsystem vulnerabilities affecting the L2CAP subprotocol implementation
• Alta-Aware-705 Denial of service from vulnerability in pion/dtls
• Ava-759 Vulnerabilities in OpenSSL
• Ava-732: Denial of service to Cloud Connector when adding a specific third party camera
• Ava-731: Permission bugs in Aware API endpoints
• Ava-729 Camera vulnerable to resource exhaustion via the TPM
• Ava-728: Vulnerability in Go could cause a denial of service
• Ava-725: Ava Aware iOS app accepts self-signed SSL certificates for WebSocket connections
• Ava-723: Secrets not sanitized in downloadable audit logs in Aware
• Ava-686 Camera authentication could be removed for a brief period during the camera setup
• Alta-Aware-647: Base64 image of excluded object included in camera logs
• Alta-Aware-640: Possibility of encryption keys leaking on Ava on-premise cameras
• Ava-634 Stream continued after RTSP user camera permissions were changed
• Ava-463 Possible to subscribe to Ava Aware counting and access control alerts without sufficient permissions

2022 advisories

• Ava-709 Preliminary vulnerability advisory
• Ava-700 Golang vulnerabilities could cause Ava Aware to restart
• Ava-693 Users get alarm notifications on the Ava Aware iOS app even after signing out
• Ava-691: Golang DoS vulnerability in HTTP/2 connection closing
• Ava-689: Audio recorded even if disabled on devices for on-premise deployments
• Ava-688 Camera user credential in Ava Aware logs
• Ava-683: Possible to listen to live audio without unrestricted global audio settings
• Ava-675: Golang vulnerability could cause denial of service to Aware
• Ava-670: Users with admin permissions able to deny service to Ava camera and Aware
• Ava-661: Authenticated RTSP stream user could cause availability loss to Ava Aware
• Ava-658: Ava Aware would not validate certificates for on-premise access control systems
• Ava-657: Possibility for Ava Aware users to see ongoing sensor alarms for sites they lack permissions for
• Ava-636: Old credentials could still be used after being rotated on the Ava camera web UI
• Ava-633: External viewer video wall stream remains accessible after view is unshared
• Ava-631: SSH shell on Ava Aware and Camera did not timeout
• Ava-627: Possible to continue watching video outside specified range with external link
• Ava-625: Denial of service of Ava Aware Cloud by uploading large map
• Ava-622: Last IP address used value in external viewers table could be spoofed
• Ava-619: Ava products possibly vulnerable to denial of service or data tampering via TLS
• Ava-614: Encrypted footage cloud backup data encryption key appearing in audit logs
• Ava-609: Count rules could be deleted without the appropriate permissions
• Ava-602: Permissions not enforced for viewing video in Ava Aware
• Ava-601: Ava products vulnerable to denial of service attack
• Ava-589: Ava Aware servers could be claimed by other deployments

2021 advisories

• Ava-583: Webhook passwords appearing in Camera log bundle
• Ava-582: Webhook password appearing in audit logs
• Ava-581: Possible to retrieve the Disruptive Technologies service account key
• Ava-551: Maliciously crafted API request could deny service from Ava Aware
• Ava-549: Google Cloud Identity-Aware Proxy (IAP) issue impacting Ava Security Cloud Deployments
• Ava-540: Insufficient authorization of video backups
• Ava-537: Permissions not fully enforced when testing webhooks from Ava devices
• Ava-531: A malicious HTTP client could deny service to Ava Aware
• Ava-511: Aware iOS app persists data across user sessions
• Ava-507: External sharing links can lead to access to live video through thumbnail and timeline abuse
• Ava-504: Ava camera API does not enforce password strength server side
• Ava-486: A malicious server could deny service to Ava Aware during TLS handshake
• Ava-464: Unauthenticated access to Camera metrics
• Ava-460: Serial number could be leaked in man-in-the-middle attack
• Ava-451: Internal IP addresses information disclosure
• Ava-450 API Documentation Accessible to Unauthenticated Users
• Ava-449: Possible information disclosure from API
• Ava-441: Maliciously crafted API request could deny service from Ava Aware
• Ava-432: Denial of Service through large HTTP server response headers
• Ava-423: Insufficient authorization for reading partial camera credentials
• Ava-422: Camera verbose flag logs RTSP credentials
• Ava-420: Access to internal system components through API misuse
• Ava-418: Access to internal cloud components using Aware webhooks
• Ava-416: Escalation of privileges using Aware webhooks
• Ava-415 Aware guest users could view alarm information
• Ava-412: Permissions not enforced for empty rules and counting areas in Aware
• Ava-410: Aware user interface fails to update 'Access control' permissions
• Ava-407: Aware not enforcing permissions on maps API
• Ava-402: Possible to create Ava Aware Cloud deployment without authentication
• Ava-401: Specially crafted media streams can lead to DoS of Ava Aware

2020 advisories

• Ava-390: Video products vulnerable to unauthenticated denial-of-service attacks
• Ava-368: Permissions not enforced on certain Ava Aware APIs
• Ava-350: Ava Cloud user able to escalate their privileges on Ava Aware
• Ava-349: Denial of service vulnerability in Ava Aware on premise and Ava cameras
• Ava-345: Permissions not enforced for certain Ava Aware alarm APIs
• Ava-341: API missing cache control headers could lead to caching of sensitive information
• Ava-337: Hashed cloud backup password retrievable using the Ava Aware API
• Ava-335: DoS of Ava Aware via API
• Ava-330: Specially crafted bitstreams can lead to DoS of Ava Aware
• Ava-327: Insufficient authorization of timeline requests by Ava Aware guest users
• Ava-322: Specially crafted x.509 certificates can lead to DoS of all Ava Video products
• Ava-320: Permissions were not enforced for Ava Aware Counts rules
• Ava-318, Ava-319: Download of camera credentials without the appropriate permissions
• Ava-317: Video encryption key logged during video export
• Ava-311: Authenticated attacker can change description of cloud backups owned by different Ava Appliance
• Ava-299: Hash of API token published to subscribed users after creation
• Ava-298: unauthorized read of vcore webhooks API
• Ava-295: users could potentially be granted more privileges than shown in the user interface
• Ava-294: unauthorized access to certain vcore APIs
• Ava-293: unauthorized download of vcore camera credentials
• Ava-290: vcore and vcloud vulnerable to denial-of-service attack
• Ava-286: device source named proto locks up the device details page
• Ava-283: vcore database container image containing third party software with vulnerabilities
• Ava-272: vcam credentials logged when RTSP request fails
• Ava-269: vcam USB debug console not disabled
• Vaion-262: plaintext password in audit log when user changes their password
• Vaion-260: vcore gateway certificates revoked
• Vaion-257: vcore SSH server vulnerable to denial-of-service attack
• Vaion-255: Debug network port open on vcam
• Vaion-254: Camera credentials accessible via debug API
• Ava-216: Ava Aware used TLS 1.0 in connection to LDAP server