Alert essentials:

Successful attacks allow an unauthenticated user to execute arbitrary commands remotely on the controller.

Update controllers immediately and restrict public access to Aviatrix.

 

Email Team

 

Detailed threat description:

Aviatrix enables enterprise organizations to deliver purpose-built infrastructure to support business-critical applications and accelerate cloud initiatives.

Due to the improper neutralization of special elements used in an OS command, an unauthenticated, remote attacker may execute arbitrary code into Aviatrix controllers.

Requiring no user interaction, the weakness with a cvss rating of 10 grants unauthorized control of the system and user inputs sent to specific endpoints.

The root cause of the vulnerability lies in how user inputs are processed within the Aviatrix Controller’s API. While some parameters are properly sanitized using functions like escapeshellarg, others are not.

Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test to allow execution of arbitrary code.

A virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions. To perform IAM actions and function properly, the Aviatrix Controller is granted high IAM privileges in AWS cloud environments by default.

This potential for lateral movement makes Aviatrix Controller a prime target for threat actors aiming to move laterally and escalate their privileges in the cloud environment.

At least one proof-of-concept exploit has been published, and exploitation for deploying the Sliver backdoor has been observed in the wild.

However, no reports of lateral movement have surfaced as of this writing. Considering active exploitation, users are recommended to apply the patches as soon as possible to prevent public access to the Aviatrix Controller.

Additionally, restricting public access to the controller can significantly reduce the attack surface.

 

Impacts on healthcare organizations:

Access to sensitive cloud networking configurations and data allows attackers to exfiltrate confidential information, compromising organizational data integrity and privacy.

This weakness allows malicious code to disrupt networking operations, leading to service downtime and affecting the organization’s ability to provide uninterrupted services.

 

Affected Products / Versions:

Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996

CVEs
CVE-2024-50603 – CWE 78 – (CVSS 10)

IOC Description
91.193.19[.]109:13333 Sliver C2 Server IP address
107.172.43[.]186:3939 Cryptocurrency mining pool IP address
1ce0c293f2042b677cd55a393913ec052eded4b9 XMRig (SHA1)
68d88d1918676c87dcd39c7581c3910a9eb94882 XMRig (SHA1)
c4f63a3a6cb6b8aae133bd4c5ac6f2fc9020c349 XMRig (SHA1)
c63f646edfddb4232afa5618e3fac4eee1b4b115 XMRig (SHA1)
e10e750115bf2ae29a8ce8f9fa14e09e66534a15 Sliver (SHA1)
41d589a077038048c4b120494719c905e71485ba Sliver (SHA1)
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.system_logs/momika233-2024-04-29-xmrig.zip XMRig (Path)
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/moneroocean/xmrig XMRig (Path)
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.uid/udiskssd XMRig (Path)
/tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/config Sliver (Path)

Recommendations

Engineering recommendations:

  • Backup the Aviatrix controller
  • The Aviatrix Controller backup and restore can be performed directly from the Controller UI
  • Install Critical Vulnerability Security Patch for CVE-2024-50603 or update the Controller to 7.1.4191 or 7.2.4996
  • Validate the update with the Patch Status
  • In certain circumstances, the patch is not fully persistent across controller upgrades and must be re-applied even if the controller status is displayed as “Patched”
    • These circumstances are:
      • The patch was first applied to a version prior to 7.1.4191 or 7.2.4996
      • The Controller is subsequently updated to a version prior to 7.1.4191 or 7.2.4996
      • The Controller does not have an associated CoPilot running version 4.16.1 or higher
  • Backup the Aviatrix Controller again with the new configuration
  • Since the Controller stores configuration data, it should be periodically backed up to the appropriate AWS/Azure/Google account
  • Conduct forensic investigations on devices
  • Search for lateral movement attempts in the cloud plane

 

Leadership/ Program recommendations:

  • When the Controller is down or out of service, the network will continue to be operational, and encrypted tunnels and OpenVPN® users will stay connected and unaffected
  • Since most of the data logs are forwarded from the gateways directly, the loss of log information from the Controller is minimal during downtime
  • Customers are strongly recommended to perform image migration 2x a year
  • Aviatrix publishes Field Notices and sends alerts to the Controller Admin in the Controller console when security-related issues are published

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: