Ava-330: Specially crafted bitstreams can lead to DoS of Ava Aware
26th November 2020.
Insufficient checks on media received by Ava Aware allow an attacker (such as a rogue camera or a MITM between an existing camera and Aware) to cause a crash loop, leading to a DoS of the server.
- Ava Aware:
- All Stable upgrade channel versions up to but not including 3.1.6
- All Beta upgrade channel versions up to but not including 3.2.2
- Ava Aware:
- All Stable upgrade channel versions from 3.1.6
- All Beta upgrade channel versions from 3.2.2
- Ava Cloud: All versions
- Ava Cameras: All versions
This issue has been fixed in Beta upgrade channel version 3.2.2 and Stable upgrade channel version 3.1.6. We [strongly] recommend that all installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.
- CVE: pending
- CVSSv3 score: 5.9 (Medium)
- CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
This vulnerability can be mitigated in Ava Aware by enforcing media encryption for all cameras.
There are no known work arounds for this issue.
Issue found internally by Ava Security.
- 19/11/2020 Issue found internally by Ava Security
- 20/11/2020 Root cause established
- 23/11/2020 Fix identified
- 26/11/2020 Patched Ava Aware 3.2.2 (Beta upgrade channel) released
- 26/11/2020 Patched Ava Aware 3.1.6 (Stable upgrade channel) released
- 26/11/2020 Vulnerability publicly disclosed