A recent security vulnerability identified by Jakub Korepta of Securing poses a significant threat to Aviatrix Controllers, enabling unauthenticated users to execute arbitrary commands on the affected systems. The advisory highlights the critical nature of the vulnerability, as indications suggest that malicious actors are actively attempting to exploit it in the wild.
Vulnerability Overview
The vulnerability has received a CVSS score of 9.9, categorizing it as “Critical.” It affects all supported versions of the Aviatrix Controller earlier than 7.2.4996 and 7.1.4191. If users do not address this vulnerability, attackers could exploit it to execute arbitrary commands, potentially leading to serious consequences such as:
- Data Exfiltration: Attackers could access sensitive information and exfiltrate data from the affected system.
- Malicious Software Deployment: The vulnerability could enable attackers to install and execute unauthorized software, compromising the integrity and security of the system.
Recommended Actions
To mitigate the risks associated with this vulnerability, Aviatrix strongly recommends that users update their Controllers to one of the following versions: 7.1.4191 or 7.2.4996. Additionally, users should install the security patch CVE-2024-50603 to address this critical vulnerability. Aviatrix also advises users to follow the Controller IP Access guidelines and ensure that port 443 does not expose the system to the Internet, further enhancing the security posture of their deployments.
Applying the Security Patch
To apply the security patch, users should follow the standard procedure for applying a security patch. However, in certain circumstances, the patch may not remain fully persistent across controller upgrades and will need reapplication, even if the controller status indicates “Patched.” These circumstances include:
- The patch was initially applied to a version prior to 7.1.4191 or 7.2.4996.
- The Controller subsequently updates to a version prior to 7.1.4191 or 7.2.4996.
- The Controller does not have an associated CoPilot running version 4.16.1 or higher.
To ensure ongoing protection, users must regularly verify their system status and promptly reapply the security patch as needed.
