A recently disclosed critical security flaw impacting the Aviatrix Controller cloud networking platform has come under active exploitation in the wild to deploy backdoors and cryptocurrency miners.
Cloud security firm Wiz said it’s currently responding to “multiple incidents” involving the weaponization of CVE-2024-50603 (CVSS score: 10.0), a maximum severity bug that could result in unauthenticated remote code execution.
Put differently, a successful exploitation of the flaw could permit an attacker to inject malicious operating system commands owing to the fact that certain API endpoints do not adequately sanitize user-supplied input. The vulnerability has been addressed in versions 7.1.4191 and 7.2.4996.
Jakub Korepta, a security researcher at Polish cybersecurity company Securing, has been credited with discovering and reporting the shortcoming. A proof-of-concept (PoC) exploit has since been made publicly available.
Data gathered by the cybersecurity company shows that around 3% of cloud enterprise environments have Aviatrix Controller deployed, out of which 65% of them demonstrate a lateral movement path to administrative cloud control plane permissions. This, in turn, allows for privilege escalation in the cloud environment.
“When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk,” Wiz researchers Gal Nagli, Merav Bar, Gili Tikochinski, and Shaked Tanchuma said.
Real-world attacks exploiting CVE-2024-50603 are leveraging the initial access to target instances to mine cryptocurrency using XMRig and deploying the Sliver command-and-control (C2) framework, likely for persistence and follow-on exploitation.
“While we have yet to see direct evidence of cloud lateral movement, we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims’ cloud environments,” Wiz researchers said.
In light of active exploitation, users are recommended to apply the patches as soon as possible and prevent public access to Aviatrix Controller.
Update
When reached for comment regarding active exploitation of CVE-2024-50603, it shared the below statement with The Hacker News –
Aviatrix was notified of the security vulnerability in late October and issued a hot patch in early November. Because of the potential severity of the vulnerability, the patch was issued for numerous versions of software that are now End of Support for nearly 2 years. While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions.
That said, Aviatrix is committed to the highest levels of security and transparency. We take our software and customer’s security incredibly seriously, and issuing a patch by itself is not enough. To ensure coverage, we kicked off multiple targeted campaigns working with customers to ensure they were patched in early November. This spanned several channels, including multiple direct outreach campaigns via e-mail, pushing banners in the UI, communicating upon opening support cases, and several other mechanisms. During those campaigns, we also worked with customers to harden their configuration based on best practices to mitigate potential threats beyond the vulnerability.
On December 19th, prior to public disclosure, we released permanent fixes for our currently supported software trains – 7.1 and 7.2. Our bar is high, and our goal was 100% coverage. We were happy to see a very significant portion of our customer base patched and hardened prior to responsibly publicly disclosing the vulnerability on January 7th. We continue to communicate with our customers and are working with those who believe they have been exploited to restore their Aviatrix software to a clean state.