CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability

CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability

On January 7, 2025, a significant security vulnerability—CVE-2024-50603—was disclosed, affecting Aviatrix Controllers. With a staggering CVSS score of 9.9, this remote code execution vulnerability poses a critical risk to organizations using Aviatrix Controllers. It has since been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, underscoring its severity and the need for immediate action.

Overview of CVE-2024-50603

The vulnerability, which affects all Aviatrix Controller versions prior to 7.2.4996 and 7.1.4191, allows unauthenticated attackers to execute arbitrary commands on the controller. This flaw stems from improper input sanitization in specific API endpoints, making it possible for bad actors to exploit the system without requiring authentication. Given its criticality, organizations are strongly urged to take proactive measures to safeguard their infrastructure.

Key Details of CVE-2024-50603:

  • Risk Rating: CVSS 9.9 (Critical) – AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Impact: Allows attackers to execute arbitrary commands, leading to potential full system compromise.
  • Affected Products: All supported versions of Aviatrix Controller prior to 7.2.4996 or 7.1.4191.
  • Solution: Update to the patched versions (7.2.4996 or 7.1.4191) or apply the Critical Vulnerability Security Patch.

Active Exploitation in the Wild

Since its disclosure, there have been confirmed reports of active exploitation of CVE-2024-50603. Attackers are leveraging this vulnerability to deploy cryptocurrency miners (such as XMRig) and backdoors like the Sliver framework. The ease of exploitation—coupled with the potential for significant damage—has made this vulnerability a prime target for threat actors.

CISA’s Directive and Guidance

CISA has added CVE-2024-50603 to its Known Exploited Vulnerabilities Catalog, mandating that federal civilian executive branch agencies address the vulnerability by February 6, 2025. While this directive specifically applies to government entities, private organizations are also strongly encouraged to prioritize remediation to mitigate the risk of exploitation.

CISA’s Known Exploited Vulnerabilities Catalog serves as a critical resource for highlighting vulnerabilities that pose significant risks to federal networks and beyond. By adding CVE-2024-50603 to this list, CISA emphasizes the urgency of addressing this flaw to prevent further exploitation.

Mitigation Steps and Recommendations

To protect your systems from CVE-2024-50603, Aviatrix strongly advises taking the following steps:

  1. Update Your Controllers: Ensure that your Aviatrix Controller is running version 7.2.4996 or 7.1.4191. These versions contain fixes for the vulnerability.
  2. Apply the Security Patch: If updating to the latest version is not immediately feasible, apply the Critical Vulnerability Security Patch associated with CVE-2024-50603. Note that in some cases, the patch may need to be re-applied after certain updates or if specific conditions are met (e.g., a CoPilot version lower than 4.16.1).
  3. Restrict Access to Port 443: Aviatrix recommends ensuring that the controller does not have port 443 exposed to the internet. Following the Controller IP Access guidance can further reduce your attack surface.
  4. Perform Regular Image Migrations: Aviatrix advises performing image migrations twice a year to stay updated with the latest system-level security patches.
  5. Monitor for Exploitation Indicators: Stay vigilant by monitoring your systems for signs of exploitation, such as unexpected CPU spikes (potentially indicative of cryptocurrency mining) or unauthorized network traffic.

Acknowledgments and Collaboration

Aviatrix has credited Jakub Korepta of SecuRing for responsibly disclosing this vulnerability. His technical write-up provides valuable insights into the flaw and its exploitation, offering a deeper understanding of the issue. Collaboration between security researchers and vendors like Aviatrix is crucial for identifying and addressing vulnerabilities before they can be widely exploited.

Other Relevant Aviatrix Vulnerabilities

In addition to CVE-2024-50603, Aviatrix has disclosed several other vulnerabilities in recent years. Notable examples include:

  1. CVE-2023-52087: A medium-severity misconfiguration in the Aviatrix Egress FQDN Firewall that allowed non-TLS traffic over HTTPS ports.

         Solution: Updates were made to change the default behavior, and affected customers were provided with steps to enable or disable specific functionalities.

 

2.Remote Code Execution Vulnerability (2022): A critical flaw enabling arbitrary remote code execution via Gateway command mechanisms.

        Solution: Updates to versions 6.4.3057 and later addressed this issue.

 

3.Privilege Escalation Vulnerabilities (2022): Local privilege escalation vulnerabilities (CVE-2021-4034 and CVE-2022-0185) impacting Linux packages used by Aviatrix systems.

       Solution: Security patches and updates were provided to mitigate these risks.

Closing summary

CVE-2024-50603 serves as a stark reminder of the importance of proactive vulnerability management. With active exploitation in the wild and its inclusion in CISA’s Known Exploited Vulnerabilities Catalog, addressing this flaw should be a top priority for all organizations utilizing Aviatrix Controllers. By following Aviatrix’s recommendations and applying the necessary updates, organizations can significantly reduce their risk and ensure the security of their infrastructure.

Stay informed and vigilant—and remember, timely action can make all the difference in protecting your systems from evolving cyber threats.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top