Ava-350: Ava Cloud user able to escalate their privileges on Ava Aware
18th December 2020.
An Ava Aware user that enters deployment via Ava Cloud could escalate their privileges to gain administrator access on the Ava Aware instance. This only affects Ava Appliance deployments with �Allow DMP access to this deployment� enabled and Ava Aware Cloud deployments with �Ava aware access via DMP� enabled.
- Ava Aware:
- All Stable upgrade channel versions before 3.2.5.
- All Beta upgrade channel versions before 3.3.2.
- Ava Aware:
- All Stable upgrade channel versions after and including 3.2.5.
- All Beta upgrade channel versions after and including 3.3.2.
- Ava Cameras: All versions
- Ava Cloud: All versions
This issue has been fixed in Ava Aware Beta upgrade channel version 3.3.2 and Stable upgrade channel version 3.2.5.
It is crucial that all installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.
We recommend performing an audit of logs matching the regular expression
type="MODIFY".*path="/api/v1/config" to verify that only users with
administrator privileges have used the vulnerable API.
If �Allow DMP access to this deployment� is enabled on your Ava Appliance deployment, we recommend that you verify that the �DMP users belong to� setting is correct. The setting is found in the �Ava Cloud� settings in the Appliances tool.
If �Ava aware access via DMP� is enabled on your Ava Aware Cloud deployment, we recommend that you verify that the �User group for DMP users� setting is correct. The setting is found in the �DMP access� tab in the System settings.
- CVE: Pending
- CVSSv3 score: 9.9 (Critical)
- CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
There are no known mitigations for this issue.
The work around to this issue is to disable �Allow DMP access to this deployment� for Ava Appliance deployments and disable �Ava aware access via DMP� for Ava Aware Cloud deployments.
Issue found internally by Ava Security.
- 17/12/2020 Issue found internally by Ava Security
- 17/12/2020 Root cause established
- 17/12/2020 Fix identified
- 18/12/2020 Patched Ava Aware (Beta upgrade channel) released
- 18/12/2020 Patched Ava Aware (Stable upgrade channel) released
- 18/12/2020 Vulnerability publicly disclosed