A recently revealed critical security flaw affecting the Aviatrix Controller The cloud networking platform is actively exploited in the wild to deploy backdoors and cryptocurrency miners.
Cloud security company Wiz said it was currently responding to “multiple incidents” involving the weaponization of CVE-2024-50603 (CVSS score: 10.0), a maximum severity bug that could result in unauthenticated remote code execution.
In other words, successful exploitation of the flaw could allow an attacker to inject malicious commands to the operating system due to the fact that certain API endpoints do not properly sanitize input provided by the operating system. ‘user. The vulnerability was fixed in versions 7.1.4191 and 7.2.4996.
Jakub Korepta, a security researcher at Polish cybersecurity company Securing, was credited with discovering and reporting this gap. A proof of concept (PoC) exploit has since been made public.
Data collected by the cybersecurity company shows that approximately 3% of enterprise cloud environments have deployed Aviatrix Controller, of which 65% of them demonstrate a lateral movement path to cloud control plane administrative permissions. This, in turn, allows for privilege escalation in the cloud environment.
“When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk,” said Wiz Gal Nagli researchers, Merav Bar , Gili Tikochinski and Shaked Tanchuma. said.
Real-world attacks exploiting CVE-2024-50603 exploit initial access to target instances to mine cryptocurrencies using XMRig and deploy the Sliver command and control (C2) framework, likely for persistence and subsequent exploitation.
“While we have not yet seen direct evidence of lateral cloud movement, we believe it is likely that threat actors are using this vulnerability to enumerate the host’s cloud permissions and then turn toward exfiltration of data from victims’ cloud environments,” Wiz researchers said. said.
In light of active exploitation, users are recommended to apply patches as soon as possible and prevent public access to Aviatrix Controller.
Update
When contacted for comment on the active exploitation of CVE-2024-50603, Aviatrix shared the statement below with The Hacker News:
Aviatrix was informed of the security vulnerability in late October and released a software patch in early November. Due to the potential severity of the vulnerability, the patch was released for many software versions that have now been out of support for almost 2 years. Although we strongly recommend that customers stay up to date with their software, customers using Controller version 6.7+ who have applied the security patch can be protected even if they have not upgraded to the latest versions.
That said, Aviatrix is committed to the highest levels of security and transparency. We take the security of our software and our customers very seriously, and releasing a patch in itself is not enough. To ensure coverage, we have launched several targeted campaigns in collaboration with customers to ensure they are fixed by early November. This took place across multiple channels, including multiple direct email outreach campaigns, display of banners in the UI, communication when opening support cases, and several other mechanisms. During these campaigns, we also worked with customers to harden their configuration based on best practices to mitigate potential threats beyond vulnerability.
On December 19, ahead of public disclosure, we released permanent fixes for our currently supported software streams – 7.1 and 7.2. Our bar is high and our goal was 100% coverage. We were happy to see a very significant portion of our customer base updated and hardened before publicly and responsibly disclosing the vulnerability on January 7th. We continue to communicate with our customers and work with those who believe they have been exploited to restore their Aviatrix software to a clean state.
Aviatrix controller flaw added to CISA KEV catalog
The US Cybersecurity and Infrastructure Security Agency (CISA), January 16, 2025, put CVE-2024-50603 has its known exploited vulnerabilities (K.E.V.), requiring Federal Civilian Executive Branch (FCEB) agencies to implement the fixes by February 6, 2025.
