Aviatrix Controller: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CVE-2024-50603) #shorts

Summary

Today we're discussing a critical vulnerability identified as CVE-2024-50603, which has been discovered in the Aviatrix Controller. This issue allows for remote code execution through improper handling of special elements in OS commands. The vulnerability is actively being exploited, which makes it imperative for affected users to update their systems immediately.

Product details

The affected product in this vulnerability is the Aviatrix Controller software. Specifically, versions before 7.1.4191 and 7.2.x before 7.2.4996 are susceptible to this security flaw. This software is a key component in cloud network management, allowing enterprises to manage and secure their cloud resources effectively.

Vulnerability type summary

The vulnerability type is categorized under CWE-78, which denotes improper neutralization of special elements used in an OS Command, also known as OS Command Injection. This type of vulnerability can allow attackers to execute arbitrary commands on the host system.

Details of the vulnerability

The issue arises because of the failure to properly neutralize special elements, or shell metacharacters, within API calls of the Aviatrix Controller. Specifically affected are the functions for 'list_flightpath_destination_instances' and 'flightpath_connection_test' in the API version /v1. If exploited, this flaw allows an unauthenticated attacker to execute arbitrary code, thus potentially gaining unauthorized access and control over the affected system.

Conclusion

In conclusion, CVE-2024-50603 represents a significant security threat due to its exploitation potential and the fact that it is actively being leveraged in the wild. Users of Aviatrix Controller should prioritize patching and updating their systems to version 7.1.4191 or 7.2.4996 and beyond to mitigate this risk. As always, maintaining an updated security posture is crucial in protecting against threats like these.

Watch the full video on YouTube: CVE-2024-50603

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-50603
Description
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Provider
mitre
CWE / problem types
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected Software Versions
Aviatrix:Controller:[{'lessThan': '7.1.4191', 'status': 'affected', 'version': '0', 'versionType': 'custom'}, {'lessThan': '7.2.4996', 'status': 'affected', 'version': '7.2.0', 'versionType': 'custom'}]
Date Published
2025-01-08T00:00:00.000Z
Last Updated
2025-01-27T22:09:19.755Z