CVE-2024-50603 impacts Aviatrix with Cryptomining

CVE-2024-50603 impacts Aviatrix with Cryptomining

No Comments

CVE-2024-50603 is a critical security vulnerability identified in the Aviatrix Controller, a cloud networking platform used to manage and secure cloud infrastructure across multiple providers. This vulnerability allows unauthenticated attackers to inject arbitrary code into the system, leading to severe security breaches, including the deployment of cryptomining malware.

Vulnerability Details

  • CVE-2024-50603:
  • Discovered by: Jakub Korepta
  • Reported to: Aviatrix
  • CVSS Score: 10.0 (Critical)
  • Affected Versions: Aviatrix Controller versions 7.x before 7.1.4191 and 7.2.x before 7.2.4996

The vulnerability stems from improper neutralization of special elements used in an OS command. This allows attackers to exploit certain endpoints within the Aviatrix Controller’s API, which is implemented in PHP, to execute arbitrary code without authentication.

Advertisements

Exploitation Method

Attackers can leverage CVE-2024-50603 to carry out the following steps:

  1. Initial Access: Attackers identify exposed Aviatrix Controller endpoints that are vulnerable to command injection.
  2. Code Injection: Using specially crafted requests, attackers inject arbitrary code into the system.
  3. Privilege Escalation: The injected code allows attackers to escalate their privileges, gaining full control over the affected device.
  4. Malware Deployment: Attackers install malicious software, including cryptomining malware, to utilize the system’s resources for their gain.

Cryptomining Exploitation

One of the primary malicious activities observed exploiting this vulnerability is the deployment of cryptomining malware, specifically XMRig, which is used to mine the cryptocurrency Monero (XMR).

Detailed Steps of Cryptomining Exploitation

  1. Unauthorized Access: Once attackers gain unauthorized access to the Aviatrix Controller, they can control the system without being detected.
  2. Cryptomining Software Installation: Attackers install XMRig, a popular Monero mining software, on the compromised system.
  3. Resource Utilization: The cryptomining software begins to utilize the system’s computational resources to mine Monero. This process involves solving complex mathematical problems, which consumes significant CPU and GPU power.
  4. Monero Generation: The mined Monero is transferred to the attackers’ wallets, generating cryptocurrency for the attackers at the expense of the victim’s resources.

Impact

The impact of CVE-2024-50603 and the associated cryptomining exploitation is severe, including:

  • Unauthorized Access: Attackers can gain unauthorized access to the cloud environment, compromising its security.
  • Privilege Escalation: The exploit allows attackers to escalate their privileges, gaining full control over the affected device.
  • Cryptomining: Attackers install cryptomining malware such as XMRig, which siphons valuable computational resources, leading to increased operational costs and degraded performance.
  • Backdoors: Attackers can install additional backdoors, such as Sliver, providing persistent access to the compromised system.
  • Potential Lateral Movement: Although not yet observed, the vulnerability could allow attackers to move laterally within the cloud environment, potentially compromising other systems and accessing administrative control plane permissions.
Advertisements

Mitigation

To protect against CVE-2024-50603 and its exploitation, the following mitigation strategies should be implemented:

  1. Patch: Aviatrix has released patches for this vulnerability in versions 7.1.4191 and 7.2.4996. Users are advised to upgrade to these versions to mitigate the risk. The update process involves downloading the latest firmware from the Aviatrix support website and following the provided instructions to apply the patches.
  2. Restrict Access: Avoid exposing port 443 to the internet. Follow recommended IP access guidelines to minimize the attack surface. Restrict access to the Aviatrix Controller to trusted IP addresses only.
  3. Monitor for Unusual Activity: Implement monitoring solutions to detect any suspicious activity related to unauthorized access and cryptomining. Use security tools that can identify and alert on unusual behavior.
  4. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security gaps in the cloud environment.

Conclusion

CVE-2024-50603 highlights the critical importance of maintaining up-to-date security practices and being vigilant about cloud security. By promptly applying the necessary security updates and following recommended mitigation strategies, users can protect their cloud environments from potential exploitation and ensure a safer, more secure computing environment.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.