A critical vulnerability (CVE-2024-50603) in the Aviatrix Controller allows unauthenticated RCE. Active exploitation observed by Wiz Research in the wild for cryptojacking and backdoors. Learn about the risks and how to mitigate them.
Wiz Research, a prominent player in the cloud security space, has observed that a critical security flaw, CVE-2024-50603, impacting the Aviatrix Controller cloud networking platform, has been actively exploited in the wild by threat actors. With a CVSS score of 10.0, this critical vulnerability allows unauthenticated remote code execution (RCE) due to improper input sanitization in certain API endpoints.
CVE-2024-50603, is a critical flaw in Aviatrix Controller, a cloud networking platform, allowing unauthenticated remote code execution. A command injection vulnerability arises from improper input sanitization in certain API endpoints. That is, the Aviatrix Controller’s PHP API, which incorporates user-supplied parameters, is vulnerable to attacks due to improper handling, allowing malicious OS commands to be executed by unauthenticated users.
What’s concerning is that attackers can exploit this flaw simply by crafting malicious commands. For example, instead of providing legitimate cloud-type values, an attacker could inject commands like: ; rm -rf / (to delete all files on the system), or, ;download_malware.sh (to download and execute malicious software)
The issue arises from how these user-supplied parameters are integrated into the internal workings of the Aviatrix Controller. Instead of properly validating and sanitizing the input, these parameters are directly incorporated into system commands. Exploiting this flaw can grant attackers arbitrary command execution on the system, potentially leading to privilege escalation within the cloud environment.
Wiz Research has observed active exploitation of this vulnerability in the wild, with attackers deploying cryptocurrency miners and backdoors on compromised systems. This is concerning as the Aviatrix Controller often holds significant privileges within cloud environments, enabling attackers to move laterally and gain control of critical cloud resources. Given the widespread use of Aviatrix Controller and its potential for privilege escalation within cloud environments, this vulnerability can put the security of a wide range of organizations in danger.
The vulnerability impacts Aviatrix Controller versions prior to 7.1.4191 and 7.2.4996. Security teams should immediately upgrade to the patched versions and implement network restrictions to minimize the attack surface, Wiz Research noted in the blog post shared with Hackread.com and published a proof-of-concept exploit, which can be accessed here.
[wp_ad_camp_1
Proactive threat hunting is crucial, involving reviewing security logs for suspicious activity, searching for malware findings on compute resources hosting Aviatrix Controller, and analyzing cloud events for abnormal activity. By taking these steps, organizations can mitigate the risks associated with this critical vulnerability and prevent further exploitation.
Ray Kelly, a Fellow at Black Duck commented on the latest development emphasizing the importance of securing API endpoints. “The critical vulnerability (CVSS score: 10.0) in the Aviatrix Controller underscores the critical need to secure API endpoints. Developers often assume that APIs are hidden or immune to common web application attacks, but this example highlights how a server can be compromised through a simple web call.“
“Thoroughly testing APIs is challenging due to their size, complexity, and the interdependence of chained calls. However, comprehensive security testing is essential, as neglecting it can lead to catastrophic consequences,“ Ray advised.
