Security experts have recently raised the alarm about a critical security flaw in the Aviatrix Controller centralized management platform for cloud networking. This vulnerability, known as CVE-2024-50603 and with a CVSS score of 10, poses a significant risk as it allows remote attackers to execute arbitrary commands on affected systems and gain full control over them. Exploiting this flaw, cybercriminals have been deploying XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.
The severity of the vulnerability is particularly acute in Amazon Web Services (AWS) cloud environments, where the Aviatrix Controller defaults to allowing privilege escalation. Researchers at Wiz Security issued a warning on January 10, revealing that around 3% of cloud enterprise environments currently have Aviatrix Controller deployed, with 65% of them having pathways for lateral movement to administrative cloud control plane permissions.
Many large companies rely on Aviatrix’s technology to manage cloud networking across various platforms like AWS, Azure, and Google Cloud Platform. These organizations use Aviatrix’s solutions for tasks such as automating network infrastructure deployment, managing security policies, and ensuring connectivity. Well-known companies such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts are among Aviatrix’s clientele.
The root cause of CVE-2024-50603 lies in Aviatrix Controller failing to properly validate data sent through its API, underscoring the risks associated with API usage in organizations. Aviatrix has released patches for all supported versions of its Controller before 7.2.4996 or 7.1.4191, recommending users to apply the fix promptly. However, the company has cautioned that the patch may not persist across upgrades in certain situations, urging users to reapply it if needed, especially on unsupported versions of the Controller.
Security researcher Jakub Korepta of SecuRing disclosed the vulnerability on January 7, followed by the publication of a proof-of-concept exploit on GitHub a day later, leading to a surge in exploitation attempts. According to Alon Schindel, Vice President of AI & Threat Research at Wiz, attackers have been primarily focused on unpatched Aviatrix instances, with the majority of exploit activity appearing to be opportunistic rather than highly targeted.
Multiple threat actors, including organized criminal groups, are leveraging the vulnerability for various purposes, including data exfiltration, infrastructure access, and operational disruption. While some exploit attempts exhibit sophistication, most are broad and automated, scanning for unpatched Aviatrix instances across the internet. Mitigating the risk posed by this vulnerability requires prompt patching and restricting network access to the Controller, among other measures.
The incident serves as a stark reminder of the inherent risks associated with API endpoints and the challenges in securing them. Establishing clear governance rules for third-party software providers and implementing rigorous security measures are crucial steps in mitigating API-related vulnerabilities. Aviatrix urges affected organizations to apply the patch immediately or reach out for assistance in hardening their configurations to prevent exploitation. By staying vigilant and implementing best practices, organizations can safeguard their systems against cyber threats and maintain a secure cloud environment.