Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners

CVE-2024-50603: Aviatrix Controller Remote Code Execution (RCE) Vulnerability
Overview
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2024-50603, has been discovered in the Aviatrix Controller, a cloud networking platform. This vulnerability has been assigned the maximum CVSS score of 10.0 due to its severe impact and ease of exploitation.
Technical Details
- Vulnerability Cause: The vulnerability stems from the improper neutralization of user-supplied input in the Aviatrix Controller’s API. Specifically, parameters such as
cloud_type
andsrc_cloud_type
in API endpoints likelist_flightpath_destination_instances
andflightpath_connection_test
are incorporated into command strings without adequate sanitization. This allows unauthenticated attackers to inject malicious OS commands, leading to arbitrary code execution135.
Affected Versions
- The vulnerability affects Aviatrix Controller versions prior to 7.1.4191 and 7.2.x before 7.2.4996. Patched versions (7.1.4191 and 7.2.4996) have been released to address the issue135.
Exploitation in the Wild
- The vulnerability was disclosed on January 7, 2025, with a proof-of-concept exploit published the following day. Within hours, cybersecurity firm Wiz Research observed active exploitation across multiple cloud environments. Threat actors have leveraged this flaw to deploy cryptojacking malware (using XMRig) and Sliver backdoors for persistence135.
Impact and Risks
- Cryptojacking and Backdoors: Attackers are using the vulnerability to deploy cryptocurrency miners and backdoors, specifically the Sliver command-and-control (C2) framework, likely for persistence and follow-on exploitation135.
- Lateral Movement: Approximately 3% of enterprise cloud environments deploy Aviatrix Controller, and 65% of these environments allow lateral movement paths from the controller’s virtual machine to cloud control plane permissions. This default high IAM privilege in AWS environments enables potential privilege escalation within the cloud environment135.
- Data Exfiltration: Although direct evidence of lateral movement has not yet been observed, researchers believe it is likely that threat actors are using the vulnerability to enumerate cloud permissions and pivot to exfiltrating data from the victims’ cloud environments135.
Mitigation Recommendations
- Upgrade to Patched Versions: Organizations should update to version 7.1.4191 or 7.2.4996 to mitigate the vulnerability.
- Restrict Network Access: Implement network restrictions to prevent public exposure of Aviatrix Controller.
- Conduct Forensic Investigations: Analyze potentially compromised systems for signs of malware or unauthorized access.
- Monitor for Lateral Movement: Assess cloud environments for any unusual activity or privilege escalation attempts.
- Leverage Security Tools: Use tools like Wiz Threat Center queries to identify vulnerable instances within the environment135.
Conclusion
The rapid exploitation of CVE-2024-50603 highlights the critical need for timely patching and proactive security measures in cloud environments. Maintaining robust security practices, such as minimizing attack surfaces and monitoring for emerging threats, is essential to safeguarding sensitive data and operations from cyberattacks.