Photo credit: www.darkreading.com
A newly revealed, critical security vulnerability in the Aviatrix Controller, a platform designed for managing cloud networking, is currently being targeted by various threat actors.
This vulnerability, cataloged as CVE-2024-50603 (with a CVSS score of 10), could permit unauthorized remote attackers to execute arbitrary commands, potentially gaining complete control over compromised systems. Currently, this flaw is being exploited to install XMRig cryptomining malware and the Sliver backdoor on targeted machines.
CVE-2024-50603: A High-Impact Vulnerability
The risk associated with this vulnerability is particularly pronounced in Amazon Web Services (AWS) environments, where the Aviatrix Controller’s default setup allows for ease of privilege escalation, as highlighted by researchers from Wiz Security in a recent blog post.
According to their findings, around 3% of enterprises utilizing cloud services have deployed the Aviatrix Controller, and in 65% of these installations, the virtual machine that hosts the controller has sufficient access to the administrative cloud control plane.
Organizations of considerable stature, such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts, leverage Aviatrix technology to streamline their cloud networking operations across various platforms like AWS, Azure, and Google Cloud Platform. This technology not only facilitates the automated management of networking infrastructure but also oversees security measures, encryption protocols, and connectivity policies.
The flaw arises from the Aviatrix Controller’s failure to properly validate or check incoming data via its application programming interface (API), underscoring the increasing security vulnerabilities connected to API usage across organizations. Common risks tied to APIs include configuration mishaps, insufficient visibility, and lack of effective security assessments.
Versions of the Aviatrix Controller that are prior to 7.2.4996 or 7.1.4191 are afflicted with this vulnerability. In response, Aviatrix has released a patch and recommends that organizations either apply this patch or update to the specified versions.
Aviatrix has cautioned that under certain conditions, the patch may not remain intact through controller upgrades and may need to be reapplied, especially if the patch was applied to unsupported versions.
Hackers Mount Opportunistic Cloud Attacks
The existence of this vulnerability was reported by security researcher Jakub Korepta of SecuRing, who shared comprehensive details about the issue on January 7. The subsequent day saw the emergence of a proof-of-concept exploit on GitHub, leading to an immediate surge in exploitation efforts.
Alon Schindel, vice president of AI & Threat Research at Wiz, mentioned that following the release of the proof-of-concept exploit, many attackers began targeting vulnerable instances of Aviatrix. He observed that while the general trend of exploitation attempts remains consistent, organizations are increasingly implementing patches to thwart these attacks.
Schindel described the nature of the exploitations as largely opportunistic, originating from automated tools scanning for unprotected Aviatrix installations.
Despite some sophisticated attack vectors being observed, he suggested that most instances seem to be part of broader sweeps, lacking a high level of customization or direct targeting of particular companies.
Evidence indicates that various threat actors, including organized crime groups, are taking advantage of this vulnerability. However, Schindel stated that no single group has yet emerged as the primary culprit in exploiting it. Depending on their infrastructure, attackers could potentially access sensitive data, infiltrate other areas of cloud or on-premises systems, or disrupt operations.
A Reminder of API-Based Cyber-Risks
Ray Kelly, a fellow at Black Duck, emphasized that the Aviatrix Controller vulnerability serves as yet another warning regarding the escalating dangers associated with API endpoints and the complexities involved in their management. He pointed out that this incident illustrates how compromised servers can result from simple API calls, underscoring the necessity for rigorous API testing. However, such thorough evaluation can be challenging due to the intricate and interconnected nature of APIs, many of which are developed by external vendors.
To counter such risks, Kelly suggests implementing clear governance rules for third-party software, including comprehensive vetting of provider security, enforcing consistent protective measures, and maintaining ongoing monitoring of software vulnerabilities and performance.
In the wake of the Aviatrix vulnerability, Schindel recommends that organizations quickly apply the provided patch. For those unable to patch right away, he advises restricting network access to the Aviatrix Controller through an IP allowlist to limit exposure, as well as to closely monitor system logs for suspicious behavior related to exploit attempts. Setting up alerts for unusual actions associated with Aviatrix and minimizing unnecessary movement paths between cloud identities are also strong preventative measures organizations should take.
Source
www.darkreading.com