Jakub Korepta, Principal Security Consultant at Securing, has discovered a critical command injection vulnerability in the Aviatrix Network Controller, identified as CVE-2024-50603. This flaw, impacting versions 7.x through 7.2.4820, has been assigned the highest possible CVSS severity score of 10.0. It allows unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to enterprises utilizing Aviatrix’s cloud networking solutions.
The root of this vulnerability lies in improper input handling within the Aviatrix Controller's API. While certain input parameters are sanitized using functions like escapeshellarg, others—most notably the cloud_type parameter in the list_flightpath_destination_instances action—remain unprotected. This oversight permits attackers to inject malicious commands into API requests, leading to remote code execution (RCE).
Jakub Korepta demonstrated this flaw by crafting a malicious HTTP request that redirected sensitive system files to an attacker-controlled server. By appending harmful commands to the vulnerable parameter, attackers can gain unauthorized access and execute arbitrary code on the targeted system.
In a proof-of-concept attack, Korepta successfully extracted the contents of the /etc/passwd file, highlighting the potential for data theft. However, the threat extends beyond data exfiltration. Exploiting this vulnerability could allow attackers to:
- Execute Remote Code: Attackers can run commands with full system privileges, gaining complete control over the Aviatrix Controller.
- Steal or Manipulate Data: Sensitive data stored on the system can be accessed, stolen, or altered.
- Compromise Entire Networks: Successful exploitation could lead to lateral movement within enterprise networks, escalating the attack's impact.
Research uncovered 681 publicly exposed Aviatrix Controllers accessible via the Shodan search engine. These exposed systems significantly increase the risk, providing attackers with easily identifiable targets for exploitation.
Aviatrix has responded promptly by releasing version 7.2.4996, which addresses this vulnerability through enhanced input sanitization. This update effectively neutralizes the identified risk. All users are strongly urged to upgrade to this patched version immediately to secure their systems and prevent exploitation. Failure to apply this update leaves systems vulnerable to severe attacks.
Recommended actions for organizations include:
- Immediate Patch Deployment: Upgrade to version 7.2.4996 or later to eliminate the vulnerability.
- Network Access Controls: Restrict public access to Aviatrix Controllers and enforce strict network segmentation.
- Continuous Monitoring: Implement robust monitoring systems to detect unauthorized activity or anomalies.
Lessons in Proactive Security
This incident underscores the critical need for proactive cybersecurity measures and routine software updates. Even advanced networking solutions can be compromised if proper input validation and security controls are neglected. Organizations must remain vigilant, ensuring that both internal systems and third-party solutions adhere to stringent security standards.
The discovery of CVE-2024-50603 serves as a stark reminder of how overlooked vulnerabilities can escalate into significant threats. Timely updates and consistent security practices are vital to protecting enterprise networks from evolving cyber risks.
