Aviatrix’s Max-Critical RCE Vulnerability: A New Frontier for Cloud Hackers

Numerous threat actors are actively targeting a newly uncovered high-severity security vulnerability in the Aviatrix Controller centralized management system for cloud networking.

In a worst-case situation, the vulnerability, termed CVE-2024-50603 (CVSS 10), has the potential to enable an unauthenticated remote assailant to execute arbitrary commands on an affected device and gain complete control over it. Attackers are presently taking advantage of this flaw to install XMRig cryptomining malware and the Sliver backdoor on compromised systems.

CVE-2024-50603: A Major Vulnerability

This vulnerability poses a particularly catastrophic threat in Amazon Web Services (AWS) cloud environments, wherein the Aviatrix Controller allows for privilege escalation by default, as indicated by researchers at Wiz Security warned in a blog on January 10.

“According to our data, approximately 3% of cloud enterprise environments have deployed Aviatrix Controller,” the researchers reported. “In 65% of such environments, the virtual machine hosting Aviatrix Controller possesses a lateral movement pathway to administrative cloud control plane permissions.”

Numerous large enterprises utilize Aviatrix’s technology to oversee cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud settings. Typical scenarios include the automation of cloud network infrastructure deployment and management, along with handling security, encryption, and connectivity policies. The company counts organizations like Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its clientele.

Related:In Tribute: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 originates from Aviatrix Controller’s failure to properly verify or validate data sent by users through its application programming interface (API). It is the latest example emphasizing the security vulnerabilities associated with the increasing reliance on APIs by organizations, regardless of their size. Additional prevalent API-related risks consist of those arising from configuration mistakes, insufficient visibility, and inadequate security evaluation.

The flaw exists in all supported versions of Aviatrix Controller prior to 7.2.4996 or 7.1.4191. Aviatrix has released a patch for this bug and advises organizations to apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

“In specific cases, the patch may not remain fully effective across controller updates and must be reapplied, even if the controller status indicates ‘patched,'” the company specified. One such situation is when the patch is applied to unsupported versions of the controller, noted Aviatrix.

Hackers Conduct Opportunistic Cloud Attacks

Security researcher Jakub Korepta of SecuRing, who identified and reported the vulnerability to Aviatrix, publicly revealed details regarding the flaw on January 7. Merely one day later, a proof-of-concept exploit for the vulnerability was made available on GitHub, sparking almost immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

“Following the release of the proof-of-concept, Wiz observed that the majority of the vulnerable systems began to experience activitiesinstances were specifically singled out by attackers seeking unpatched Aviatrix implementations,” states Alon Schindel, vice president of AI & Threat Research at Wiz. “The total frequency of exploitation attempts has remained consistent. However, we observe clients updating their systems and thwarting attackers from targeting them.”

Schindel describes the current exploit activity as primarily opportunistic, stemming from scanners and automated tools scouring the Internet for unpatched Aviatrix deployments.

“While some payloads and infrastructure utilized indicate a higher level of sophistication in certain instances, the majority of attempts seem to be general sweeps rather than specifically tailored or targeted assaults on particular organizations,” he explains.

Available telemetry indicates that numerous threat actors, including organized criminal groups, are exploiting the vulnerability in various manners. As of now, there is no evidence suggesting that any single group is controlling the exploitation efforts, Schindel remarks. “Depending on the configuration of the environment, an adversary could exfiltrate sensitive information, access additional parts of the cloud or on-premises infrastructure, or disrupt standard operations,” he observes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

A Reminder of API-Based Cyber-Risks

Ray Kelly, a fellow at Black Duck, remarks that the Aviatrix Controller vulnerability serves as yet another reminder of both the escalating risks related to API endpoints and the challenges of managing them. The vulnerability illustrates how a server can be compromised through a simple web request to an API, underpinning the necessity for meticulous testing of APIs. However, such testing can be formidable, owing to the size, intricacy, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

“One effective strategy to alleviate these risks is by establishing explicit ‘rules of governance’ for third-party software,” Kelly states. “This involves implementing comprehensive vetting procedures for third-party suppliers, enforcing uniform security practices, and ensuring ongoing monitoring of software performance and vulnerabilities.”

According to Schindel from Wiz, the optimal course of action for organizations impacted by the recent Aviatrix vulnerability is to apply the company’s patch promptly. Organizations unable to patch immediately should restrict network access to the Aviatrix Controller through an IP allowlist, permitting only trusted sources to connect, Schindel suggests. They should also vigilantly observe logs and system behavior for any suspicious actions or known exploit indicators, establish alerts for unusual activity tied to Aviatrix, and minimize unnecessary lateral movement pathways between their cloud identities.