Full Report
The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Aviatrix Controller Unauthenticated Remote Code Execution (Command Injection)
## CVE Details
- CVE ID: CVE-2024-50603
- CVSS Score: 10.0 (Critical)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: Aviatrix Controller
- Versions: Before `7.1.4191`, and versions `7.2.x` before `7.2.4996`.
- Configurations: Primarily impacts systems deployed in AWS cloud environments due to default high IAM privileges.
## Vulnerability Description
This critical vulnerability is an OS Command Injection flaw residing in the Aviatrix Controller's PHP API. It stems from the improper neutralization of user-supplied input in parameters like `cloud_type` and `src_cloud_type` within the `list_flightpath_destination_instances` and `flightpath_connection_test` API endpoints. An unauthenticated remote attacker can inject arbitrary OS commands to be executed on the underlying system with the privileges of the application.
## Exploitation
- Status: Exploited in the wild (Observed activities include cryptojacking and backdoor deployment).
- Complexity: Low (Unauthenticated remote execution).
- Attack Vector: Network
## Impact
- Confidentiality: High (Implied, due to potential lateral movement and data exfiltration capabilities enabled by gaining RCE).
- Integrity: High (Arbitrary command execution allows modification or destruction of system state).
- Availability: High (Execution of cryptomining or system disruption tools).
## Remediation
### Patches
- Upgrade Aviatrix Controller to version `7.1.4191` or later.
- Upgrade Aviatrix Controller to version `7.2.4996` or later.
### Workarounds
- Implement network restrictions to prevent public access to the Aviatrix Controller interface.
- Conduct forensic investigation on existing devices to check for compromise indicators.
## Detection
- **Indicators of Compromise (IOCs):**
- Network connections to: `91.193.19[.]109:13333`, `107.172.43[.]186:3939`.
- File hashes (SHA1): `1ce0c293f2042b677cd55a393913ec052eded4b9`, `68d88d1918676c87dcd39c7581c3910a9eb94882`, `c4f63a3a6cb6b8aae133bd4c5ac6f2fc9020c349`, `c63f646edfddb4232afa5618e3fac4eee1b4b115`, `e10e750115bf2ae29a8ce8f9fa14e09e66534a15`, `41d589a077038048c4b120494719c905e71485ba`.
- File system paths indicative of XMRig or Sliver deployment (e.g., paths involving `/tmp/systemd-private-` and containing `xmrig` or `moneroocean`).
- **Detection Methods and Tools:**
- Search cloud provider security alerts where the principal matches the compute resource hosting Aviatrix Controller.
- Monitor AWS CloudTrail events for activity using default Aviatrix roles (`aviatrix-role-ec2` or `aviatrix-role-app`) from unobserved IP addresses or executing abnormal API calls.
- Review network logs for suspicious outbound DNS requests or connections originating from the Controller device.
## References
- Aviatrix advisory: hXXps://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html#remote-code-execution-vulnerability-in-aviatrix-controllers
- Proof of Concept exploit: hXXps://github.com/newlinesec/CVE-2024-50603/blob/main/CVE-2024-50603.yaml
- Securing.pl blogpost: hXXps://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
- Vendor IAM Documentation: hXXps://docs.aviatrix.com/documentation/latest/platform-administration/accounts-and-users/iam-role.html#what-permissions-are-required-in-app-role-policy-and-why