AVA-286: device source named __proto__ locks up the device details page

Release Date

25th June 2020.

Overview

If a device advertises itself as having a device source called __proto__, selecting that device source from the vcore user interface, temporarily renders the page unresponsive. General access to the user interface can be restored by refreshing the page, but that specific device source will be permanently affected.

This is caused by an underlying prototype pollution vulnerability on the front-end. The resolution recommended in this advisory should also address any other front-end issues caused by prototype pollution.

Note: Although we have only found this issue to be exploitable in vcore, there is a potential risk that it could also be present in other Vaion products. Therefore, we recommend that you upgrade all your Vaion products to mitigate this potential risk.

Affected Products

  • vcam: All versions before 1.2.4
  • vcore: All versions before 2.2.2
  • vcloud: before 19th June 2020

Resolution

  • vcam: update all affected devices to version 1.2.4 or higher
  • vcore: update to version 2.2.2 or higher
  • vcloud: No customer action required

Vulnerability Information

For this vulnerability to be exploitable, an attacker must be able to introduce a device with a device source called __proto__ or needs to have device administration privileges in order to modify a device source to the above mentioned name.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

  • 08/06/2020 Issue found internally by Ava Security
  • 16/06/2020 Fix identified
  • 19/06/2020 Patched vcloud released
  • 23/06/2020 Patched vcore 2.3.0 (Beta upgrade channel) released
  • 25/06/2020 Patched vcore 2.2.2 (Stable upgrade channel) released
  • 25/06/2020 Patched vcam 1.2.4 released
  • 25/06/2020 Vulnerability publicly disclosed