AVA-286: device source named __proto__ locks up the device details page
25th June 2020.
If a device advertises itself as having a device source called
__proto__, selecting that device source from the vcore user interface, temporarily renders the page unresponsive. General access to the user interface can be restored by refreshing the page, but that specific device source will be permanently affected.
This is caused by an underlying prototype pollution vulnerability on the front-end. The resolution recommended in this advisory should also address any other front-end issues caused by prototype pollution.
Note: Although we have only found this issue to be exploitable in vcore, there is a potential risk that it could also be present in other Vaion products. Therefore, we recommend that you upgrade all your Vaion products to mitigate this potential risk.
- vcam: All versions before 1.2.4
- vcore: All versions before 2.2.2
- vcloud: before 19th June 2020
- vcam: update all affected devices to version 1.2.4 or higher
- vcore: update to version 2.2.2 or higher
- vcloud: No customer action required
For this vulnerability to be exploitable, an attacker must be able to introduce a device with a device source called
__proto__ or needs to have device administration privileges in order to modify a device source to the above mentioned name.
- CVE: Pending
- CVSSv3 score: 2.7 (Low)
- CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Issue found internally by Ava Security.
- 08/06/2020 Issue found internally by Ava Security
- 16/06/2020 Fix identified
- 19/06/2020 Patched vcloud released
- 23/06/2020 Patched vcore 2.3.0 (Beta upgrade channel) released
- 25/06/2020 Patched vcore 2.2.2 (Stable upgrade channel) released
- 25/06/2020 Patched vcam 1.2.4 released
- 25/06/2020 Vulnerability publicly disclosed