Other official information and services: www.belgium.be

WARNING: CRITICAL COMMAND INJECTION VULNERABILITY IN AVIATRIX CONTROLLER IS ACTIVELY EXPLOITED, PATCH IMMEDIATELY!

Referentie:

Advisory #2025-007

Versie:

1.1

Geïmpacteerde software:

Aviatrix controller versions 7.x through 7.2.4820

Type:

Command Injection

CVE/CVSS:

CVE-2024-50603: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Datum:

09/01/2025

Bronnen

Securing - https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/

Wiz.io - https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603

Risico’s

Aviatrix Controllers are single panes of glass to manage cloud networking solutions across various environments. If exposed to the public, exploitation of this vulnerability could allow unauthenticated attackers to execute arbitrary code remotely, leading to severe consequences, including unauthorized access to sensitive data, exfiltration, system compromise, and potential lateral movement within the network. Confidentiality, integrity and availability are all highly impacted.

Update (2025-01-27)
This vulnerability is actively exploited by threat actors to mine cryptocurrency using XMRig and to deploy Sliver backdoors for persistence.

Beschrijving

CVE-2024-50603 is a critical command injection vulnerability present in Aviatrix Controller versions 7.x through 7.2.4820.

The flaw arises from improper neutralization of special elements used in system commands, specifically within the API's handling of the cloud_type parameter in the list_flightpath_destination_instances action.

The lack of proper input validation for cloud_type allows attackers to append malicious commands via crafted HTTP requests. For instance, an attacker can send a POST request that includes a payload designed to execute arbitrary commands on the server.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Aviatrix has addressed this issue in Controller version 7.2.4996, and users are strongly advised to update to this version to mitigate the risk.

Update (2025-01-27)
Please note that in certain circumstances, the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as “Patched”. These circumstances are:
The patch was first applied to a version prior to 7.1.4191 or 7.2.4996.
The Controller is subsequently updated to a version prior to 7.1.4191 or 7.2.4996.
The Controller does not have an associated CoPilot running version 4.16.1 or higher.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

NVD NIST https:/nvd.nist.gov/vuln/detail/CVE-2024-50603