WARNING: CRITICAL COMMAND INJECTION VULNERABILITY IN AVIATRIX CONTROLLER IS ACTIVELY EXPLOITED, PATCH IMMEDIATELY!
CVE-2024-50603: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Bronnen
Risico’s
Aviatrix Controllers are single panes of glass to manage cloud networking solutions across various environments. If exposed to the public, exploitation of this vulnerability could allow unauthenticated attackers to execute arbitrary code remotely, leading to severe consequences, including unauthorized access to sensitive data, exfiltration, system compromise, and potential lateral movement within the network. Confidentiality, integrity and availability are all highly impacted.
Update (2025-01-27)
This vulnerability is actively exploited by threat actors to mine cryptocurrency using XMRig and to deploy Sliver backdoors for persistence.
Beschrijving
CVE-2024-50603 is a critical command injection vulnerability present in Aviatrix Controller versions 7.x through 7.2.4820.
The flaw arises from improper neutralization of special elements used in system commands, specifically within the API's handling of the cloud_type parameter in the list_flightpath_destination_instances action.
The lack of proper input validation for cloud_type allows attackers to append malicious commands via crafted HTTP requests. For instance, an attacker can send a POST request that includes a payload designed to execute arbitrary commands on the server.
Aanbevolen acties
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Aviatrix has addressed this issue in Controller version 7.2.4996, and users are strongly advised to update to this version to mitigate the risk.
Update (2025-01-27)
Please note that in certain circumstances, the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as “Patched”. These circumstances are:
The patch was first applied to a version prior to 7.1.4191 or 7.2.4996.
The Controller is subsequently updated to a version prior to 7.1.4191 or 7.2.4996.
The Controller does not have an associated CoPilot running version 4.16.1 or higher.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.