Date of Disclosure (source): January 7, 2025
Date Reported as Actively Exploited (source): January 7, 2025
CVE-2024-50603 is a critical vulnerability affecting all supported versions of Aviatrix Controller prior to 7.1.4191 and 7.2.x before 7.2.4996 with a CVSS score of 10.0.
A technical writeup published by SecuRing listed the following vulnerable components:
- cloud_type parameter of the list_flightpath_destination_instances action
- src_cloud_type parameter of the flightpath_connection_test action
Unauthenticated attackers can send malicious input in a POST request to /v1/api endpoint using these parameters and execute malicious code on the underlying server. An example proof of concept is available in the technical writeup above.
Multiple media outlets have reported active exploitation of this vulnerability in the wild. While specific threat actors were not named, a malicious host was observed attempting to use this exploit in GreyNoise visualizer (GreyNoise query).
Field |
Details |
CVE-ID |
CVE-2024-50603 – CVSS 10.0 (critical) – assigned by Mitre |
Vulnerability Description |
Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test. |
Date of Disclosure |
January 7, 2025 |
Affected Assets |
Aviatrix Controller /v1/api endpoint:
-
- cloud_type parameter of the list_flightpath_destination _instances action
- src_cloud_type parameter of the flightpath_connection_test action
|
Vulnerable Software Versions |
Prior to 7.1.4191 and 7.2.x before 7.2.4996 |
PoC Available? |
A Technical writeup by SecuRing describes the exploit in detail, and exploit code is available in a Nuclei template on GitHub. |
Exploitation Status |
Multiple media outlets have reported active exploitation in the wild, and a malicious host was observed attempting to exploit this vulnerability in GreyNoise. |
Patch Status |
Aviatrix has urged users to download the official security patch, or update the Controller to 7.1.4191 or 7.2.4996. They’ve provided additional mitigation guidance and instructions for applying the patch in their security advisory. |
Censys Perspective
At the time of writing, Censys observed 1,319 of exposed Aviatrix Controllers online. A large proportion of these (86%) are geolocated in the United States. Roughly 85% of the total exposed instances are hosted in AWS.
While we were able to detect exposed versions on some of these instances, we did not detect any versions that were vulnerable to the exploit. This does not necessarily mean that none of these instances are vulnerable as we do not always have version information available.
Map of Exposed Aviatrix Controller Instances
Censys Search Query:
services.software: (vendor="Aviatrix" and product="Controller") and not labels: {honeypot, tarpit}
Note that this fingerprint was recently deployed and results may take 24 hours to fully propagate.
Censys ASM Query:
host.services.software: (vendor="Aviatrix" and product="Controller") or web_entity.instances.software: (vendor="Aviatrix" and product="Controller") and not host.labels: {honeypot, tarpit}
Risk:
risks.name: "Vulnerable Aviatrix Controller Application [CVE-2024-50603]"
Note that this risk was recently deployed and results may take 24 hours to fully propagate.
References