A new remote code execution (RCE) vulnerability, tracked as CVE-2024-50603, has been discovered in Aviatrix Controller, posing significant risks to cloud environments. This severe vulnerability allows unauthenticated attackers to execute arbitrary commands through improperly sanitized user inputs, earning it a maximum CVSS score of 10.0. Patches have been released in versions 7.1.4191 and 7.2.4996 of Aviatrix Controller to mitigate this flaw.

Analysis of CVE-2024-50603

The vulnerability occurs in the API of Aviatrix Controller due to incorrect handling of user inputs in the list_flightpath_destination_instances and flightpath_connection_test endpoints. By exploiting parameters such as cloud_type and src_cloud_type, attackers can inject harmful commands. This issue enables remote code execution by unauthorized individuals.

Impact on Cloud Environments

Wiz Research indicates that approximately 3% of cloud environments use Aviatrix Controller, with 65% of these having potential lateral movement paths to cloud administrative permissions. The high default IAM privileges in AWS environments, as dictated by Aviatrix's role requirements for proper functioning, contribute to this risk, making Aviatrix Controller a lucrative target for cybercriminals to escalate their access once initial compromise is achieved.

Recent Exploitation Activities

The vulnerability was publicly disclosed on January 7, 2025, with a detailed blog post and proof-of-concept exploit appearing a day later. Instances of exploitation were soon detected by Wiz Research, particularly involving cryptojacking and the deployment of Sliver backdoors. These incidents primarily affected systems with public internet exposure still vulnerable to CVE-2024-50603, with observed malicious activities largely confined between January 7 and January 10, 2025.

Recommendations for Security Teams

To protect against this vulnerability:

Patch Affected Systems: Update Aviatrix Controller to version 7.2.4996 or later and limit public access if feasible.

Investigate for Compromise: Even if patched, examine your environment for any signs of previous exploitation or unauthorized access. Security teams using Wiz can deploy the following strategies:

Utilize Wiz Threat Center advisories to identify exposed or susceptible instances.

Conduct proactive threat hunting using tools like Wiz's Security Graph and Cloud Events Explorer to detect anomalies and possible signs of breach. - Review cloud provider alerts and network logs for unexpected activity tied to Aviatrix roles or other suspicious patterns.

Indicators of Compromise

IP Addresses: 91.193.19[.]109:13333 (Sliver C2 Server), 107.172.43[.]186:3939 (Cryptocurrency mining pool)

Malware Hashes: XMRig and Sliver signatures identified by SHA1 hashes such as 1ce0c293f2042b677cd55a393913ec052eded4b9. The community and organizations should remain vigilant and ensure systems are updated promptly to prevent exploitation of this critical flaw.

The link has been copied!