Aviatrix Controller RCE Vulnerability Allows Unauthenticated Malicious Code Injections (CVE-2024-50603)

AWS and other cloud infrastructure exposed to after attacks uncovered in the wild

Cloud networking solutions provider Aviatrix has published a new vulnerability (CVE-2024-50603) in its controller. This vulnerability allows unauthenticated actors to run arbitrary commands. 

This Remote Code Execution (RCE) vulnerability, rated CVSS 10 (critical), has been exploited in the wild.

A patch is already available on GitHub. Alternatively, users can update to the secure versions 7.1.4191 or 7.2.4996.

What is the Aviatrix Controller?

Aviatrix’s platform enables its customers to manage and secure their cloud infrastructure across providers. It is used across AWS, Azure, GCP, and more. Including in enterprise environments.

What is the Vulnerability in CVE-2024-50603?

According to researcher Jakub Korepta of SecuRing, who disclosed the vulnerability, the issue stems from improper handling of user-supplied parameters in the Aviatrix Controller’s API. A malicious actor can inject arbitrary commands to breach their target’s publicly exposed machines in the cloud.

Researchers have observed malicious actors using CVE-2024-50603 to install XMRig crypto miners and Sliver backdoors. This can potentially lead to more significant attacks on target organizations’ VMs. 

Read Korepta’s technical writeup here: https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/

Apono’s Assessment

The vulnerability in Aviatrix’s API essentially breaks the authentication mechanism, opening the door to abuse by attackers. 

“We see that sometimes even the best lock on the door can be made ineffective, like in this case where the authentication mechanism is broken,” says Apono CTO and Co-founder Ofir Stein. “This is an important reminder of why we must adopt a layered approach to securing our infrastructure. Apono enables organizations to implement Just-in-Time access to their networking tools, allowing them to add a critical layer of protection.”  

Organizations often struggle to secure their cloud resources. Due to their dependence on cloud service providers controlling the infrastructure and the sheer scale of their cloud, they lack critical visibility into what they have in their cloud. Moreover, they have great difficulty understanding who has access to which resources, which impedes their ability to control access. 

Even though visibility and access control have always been challenges in security, the cloud service providers’ shared responsibility model places the organization’s responsibility for the sprawling infrastructure with its complex and diverse permissions squarely on its shoulders.

While authentication is a critical element of security, the industry understands that it is insufficient to ensure protection against attacks. Security needs to be designed in layers. This is why we have seen the growth of MFA as part of system building and the development of cross-industry regulations.  

However, in this case, and many others, vulnerabilities in the authentication mechanism or clever social engineering ploys can enable attackers to bypass even the most capable authentication protections, leaving resources exposed. 

Effective access control mechanisms, like Just-in-Time, are essential in reducing the attack surface. When technical failures like this CVE occur, organizations can mitigate risks from a breach or abuse by limiting access to sensitive resources like administrative controls. 

Recommendations 

1. Patch vulnerable versions of Aviatrix or upgrade to a secure version.
2. To restrict access to the controller, use defense-in-depth techniques, such as ZTNA, IP filtering, and Just-in-Time network tunneling.

Contact one of our experts today to learn more about Apono’s Cloud Access Platform.