Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Aviatrix Controllers vulnerability, tracked as CVE-2024-50603, to its Known Exploited Vulnerabilities catalog due to its critical nature. This vulnerability allows unauthenticated attackers to execute arbitrary code via improper command neutralization in the API, posing significant risks to cloud security.
The U.S. CISA has added the Aviatrix Controllers vulnerability (CVE-2024-50603) to its Known Exploited Vulnerabilities catalog, considering it critical and posing significant risks to organizations using affected versions. The vulnerability is a command injection flaw that allows unauthenticated attackers to execute arbitrary code via improper command neutralization in the API. Threat actors are already exploiting this flaw in attacks in the wild, deploying backdoors and cryptocurrency miners. A patch has been available for Aviatrix Controller versions 7.1.4191 and 7.2.4996, but threat actors continue to exploit it. The vulnerability poses a risk of lateral movement within cloud environments, allowing threat actors to compromise sensitive data. Experts warn that while there is no direct evidence of cloud lateral movement, it's likely that threat actors are using the vulnerability to enumerate cloud permissions and pivot to exfiltrating data.
U.S. CISA adds Aviatrix Controllers vulnerability to its Known Exploited Vulnerabilities catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has taken a proactive step in enhancing the security posture of cloud infrastructure by adding the Aviatrix Controllers vulnerability, tracked as CVE-2024-50603, to its Known Exploited Vulnerabilities (KEV) catalog. The added vulnerability is considered critical and poses significant risks to organizations using Aviatrix Controller versions prior to 7.1.4191 and 7.2.x pre-7.2.4996.
The Aviatrix Controllers vulnerability is a command injection flaw that allows unauthenticated attackers to execute arbitrary code via improper command neutralization in the API. The vulnerability has been addressed in patched versions of Aviatrix Controller, specifically version 7.1.4191 and 7.2.4996. However, threat actors are already exploiting this flaw in attacks in the wild, deploying backdoors and cryptocurrency miners.
The Wiz Incident Response team reported that threat actors are actively exploiting the CVE-2024-50603 vulnerability to deploy malware and engage in other malicious activities. The team emphasized the urgency of patching this vulnerability to prevent potential security breaches. According to a proof-of-concept (PoC) exploit, available publicly, an attacker can execute arbitrary commands against Aviatrix Controllers by manipulating user-supplied input.
Aviatrix's PSIRT has confirmed the active exploitation of the flaw and urged organizations to take immediate action to protect their controllers. The default privilege escalation in AWS environments amplifies the risk of exploitation, enabling cryptojacking and backdoor attacks, as highlighted by Wiz Research.
According to data gathered by Wiz, approximately 3% of cloud enterprise environments have Aviatrix Controller deployed. A staggering 65% of such environments have a virtual machine hosting Aviatrix Controller with a lateral movement path to administrative cloud control plane permissions. This information highlights the potential for threat actors to exploit this vulnerability and move laterally within the cloud environment, compromising sensitive data.
Threat actors are using the CVE-2024-50603 vulnerability to mine cryptocurrency with XMRig, deploy Sliver backdoors, and likely enumerate cloud permissions for potential data exfiltration. The investigation conducted by Wiz has revealed that threat actors are abusing their access to mine cryptocurrency using XMRig and deploy Sliver backdoors, presumably for persistence purposes.
Experts warn that while there is currently no direct evidence of cloud lateral movement, it is likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims' cloud environments. CISA has ordered federal agencies to fix this vulnerability by February 6, 2025.
The Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities emphasizes the need for Federal Cybersecurity Agencies to address identified vulnerabilities within a specified timeframe to protect their networks against attacks exploiting flaws in the catalog. Private organizations are also advised to review the KEV catalog and address the vulnerabilities in their infrastructure.
In conclusion, the critical Aviatrix Controllers vulnerability highlights the importance of proactive cybersecurity measures. Organizations must prioritize patching this vulnerability to prevent potential security breaches and ensure the integrity of their cloud infrastructure.
Related Information:
https://securityaffairs.com/173189/hacking/u-s-cisa-aviatrix-controllers-vulnerability-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2024-50603
https://www.cvedetails.com/cve/CVE-2024-50603/
Published: Fri Jan 17 10:12:05 2025 by llama3.2 3B Q4_K_M
