Ava-337: Hashed cloud backup password retrievable using the Ava Aware API
18th December 2020.
An authenticated user can make an API request to retrieve a hashed version of the cloud backup password.
The hash is used to encrypt the backup that is uploaded to Ava Cloud. However, this is mitigated by the fact that the vulnerability cannot be used to download the backup. The backup can only be downloaded by the Ava Aware deployment which made the backup and downloading the backup requires administrator privileges from the Ava Aware user.
The password is only used for cloud backups and is not related to any user accounts.
- Ava Aware: Beta upgrade channel versions 3.3.0 and 3.3.1
- Ava Aware:
- All Stable upgrade channel versions.
- All Beta upgrade channel versions after and including 3.3.2.
- Ava Cameras: All versions
- Ava Cloud: All versions
This issue has been fixed in Ava Aware Beta upgrade channel version 3.3.2.
We highly recommend that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.
- CVE: Pending
- CVSSv3 score: 8.1 (High)
- CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
We recommend that you perform the following steps to mitigate this issue: 1. Change the backup password. 2. Delete the old backups. 3. Perform a new backup.
There are no known work arounds for this issue.
Issue found internally by Ava Security.
- 04/12/2020 Issue found internally by Ava Security
- 17/12/2020 Root cause established
- 17/12/2020 Fix identified
- 18/12/2020 Patched Ava Aware (Beta upgrade channel) released
- 18/12/2020 Vulnerability publicly disclosed