Full Report
A recently disclosed critical security flaw impacting the Aviatrix Controller cloud networking platform has come under active exploitation in the wild to deploy backdoors and cryptocurrency miners. Cloud security firm Wiz said it's currently responding to "multiple incidents" involving the weaponization of CVE-2024-50603 (CVSS score: 10.0), a maximum severity bug that could result in
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in Aviatrix Controller
## CVE Details
- CVE ID: CVE-2024-50603
- CVSS Score: 10.0 (Critical)
- CWE: N/A (Likely related to Improper Input Validation/Injection)
## Affected Systems
- Products: Aviatrix Controller
- Versions: Versions prior to 7.1.4191 and 7.2.4996.
- Configurations: Any deployment of the vulnerable versions. Note: Approximately 3% of cloud enterprise environments have Aviatrix Controller deployed, with 65% of those demonstrating a path to administrative cloud control plane permissions.
## Vulnerability Description
This is a critical flaw that allows for unauthenticated Remote Code Execution (RCE). The vulnerability exists because certain API endpoints fail to adequately sanitize user-supplied input, allowing an attacker to inject arbitrary, malicious operating system commands.
## Exploitation
- Status: Exploited in the wild (Threat actors are actively weaponizing this vulnerability)
- Complexity: Low (Implied by unauthenticated RCE and public PoC)
- Attack Vector: Network (Remote)
### Impact
- Confidentiality: High (Allows for data exfiltration based on observed attacker pivoting)
- Integrity: High (Allows attackers to modify system state via command execution)
- Availability: High (Used to deploy crypto miners, degrading performance)
## Remediation
### Patches
- Aviatrix Controller version **7.1.4191**
- Aviatrix Controller version **7.2.4996**
### Workarounds
No specific workarounds were mentioned in the provided text, urgent patching is advised due to active exploitation.
## Detection
- Observed Post-Exploitation Activities: Deployment of XMRig for cryptocurrency mining and the installation of the Sliver command-and-control (C2) framework for persistence.
- General Detection: Monitor Aviatrix Controller API endpoints for unsanitized input anomalies. Investigate systems for the presence of cryptocurrency mining processes (like XMRig) or unknown C2 implants (like Sliver).
## References
- Vendor Advisory/Details (Implied): Patched in versions 7.1.4191 and 7.2.4996.
- PoC Availability: Publicly available (hosted on GitHub).
- Security Research: [docs dot aviatrix dot com/documentation/latest/getting-started/platform-overview/index dot html] (For general product info)
- Security Research: [www dot wiz dot io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603] (Wiz research blog)
- PoC Link: [github dot com/newlinesec/CVE-2024-50603/blob/main/CVE-2024-50603 dot yaml]