Ava-322: Specially crafted x.509 certificates can lead to DoS of all Ava Video products

Release Date

18th November 2020.

Overview

A vulnerability in the underlying math/big package used by various Go programming language cryptographic packages can cause a panic when parsing a specially crafted x.509 certificate.

The Aware on-premise appliance and the Ava Aware Cloud gateway could be vulnerable to a denial of service (DoS) if an attacker connects to it using such a certificate. If the attacker was to send many requests in short succession this may impact the ability of the appliance to serve valid connections.

The Ava Cameras, Aware Cloud and Aware on-premise appliances are also vulnerable to a denial of service if they connect to attacker-controlled endpoints.

Affected Products

  • Ava Aware:
    • All Stable upgrade channel versions up to but not including 3.1.5
    • All Beta upgrade channel versions up to but not including 3.2.1
  • Ava Cameras:
    • All Stable upgrade channel versions up to but not including 3.1.5
    • All Beta upgrade channel versions up to but not including 3.2.1
  • Ava Cloud: all versions before 16th November 2020

Unaffected Products

  • Ava Aware:
    • All Stable upgrade channel versions after and including 3.1.5
    • All Beta upgrade channel versions after and including 3.2.1
  • Ava Cameras:
    • All Stable upgrade channel versions after and including 3.1.5
    • All Beta upgrade channel versions after and including 3.2.1
  • Ava Cloud: all versions after 16th November 2020

Resolution

This issue has been fixed in the product versions mentioned above. It is strongly recommended that all on-premises deployments running an affected version upgrade to the latest version as soon as possible.

Vulnerability Information

There are no known mitigations or workarounds to this issue.

Acknowledgements

Issue found, and reported to the Go team, by Go Ethereum team and the OSS-Fuzz project.

Disclosure Timeline

  • DD/MM/YYYY (date unknown) Issue found by the Go Ethereum team and the OSS-Fuzz project
  • 12/11/2020 Patched Go language version released
  • 16/11/2020 Patched Aware Cloud
  • 18/11/2020 Patched Aware on-premise released
  • 18/11/2020 Patched Aware Cameras released
  • 18/11/2020 Vulnerability publicly disclosed