Security Advisories: https://docs.aviatrix.com/HowTos/security_bulletin_article.html
CyberOne‘s TEAMARES recently discovered multiple vulnerabilities in the Aviatrix Cloud Controller appliance v5.3.1516 and Aviatrix VPN client v2.8.2 for Linux, macOS, and Windows. TEAMARES would like to thank the Aviatrix security team for partnering with us to get the issues resolved.
The Aviatrix security team provided the following upgrade instructions.
To see your latest software upgrade, migration option, and Gateway version, login as admin to the Aviatrix Controller console > Settings > Maintenance > Upgrade. See the image below.
Aviatrix cloud-native networking establishes an abstraction layer between the public cloud providers’ native networking and security constructs and the application to simplify networking in AWS, Azure, Google Cloud, and Oracle.
The Aviatrix Controller and Gateways are deployed as software in your VPCs and VNETs. The Aviatrix Controller provides programmatic control over the native constructs so you can easily take advantage of the cloud providers existing services. Additionally, the same Aviatrix Controller enables you to extend the native services by adding enterprise-class control for hybrid connectivity, data security, multi-cloud operations, monitoring, and troubleshooting.
This blog will focus on two critical unauthenticated vulnerabilities discovered in the Aviatrix Cloud Controller. The complete list of vulnerabilities are listed in the vulnerabilities table at the end of this blog. To manage the controller, an administrator must log in to the web console.
The controller also supports a set of APIs available to manage the appliance. The Aviatrix API Documentation states the “CID” parameter represents the session identifier, which the majority of API calls require.
Through dynamic and static code analysis, we discovered two sensitive API calls. The setup_network_options and edit_account_user APIs should require administrator-level access but did not validate the CID parameter. The setup_network_options API was leveraged to achieve unauthenticated remote code execution, and the edit_account_user API could be used to take control of the administrator account.
Reviewing the source code of the setup_network_options API function shows a call to the move_uploaded_file() PHP function. This function does what it sounds like and moves a file from one location to another after an HTTP POST request.
The setup_network_options API could be used to upload a new proxy certificate; however, the input filename and certificate content was not validated or sanitized. This allowed arbitrary files to be uploaded. The TMPDIR constant was set to the tmp directory inside of the webserver root. This path is used by several functions to stage uploaded files before processing. The location is protected by an Apache .htaccess file which by default denied all HTTP requests. This configuration effectively blocked the access/execution of any .php script files that could be uploaded.
Upon further investigation, the tmp directory was discovered with directory permissions set to be world-writable (777). This allowed the www-data user to create and update files under this directory, thus allowing the www-data account to also overwrite the .htaccess file.
The exploit was updated to first upload a new .htaccess file with an allow directive from our IP address.
The exploit now uploads a new .htaccess file, the PHP exploit (web shell), and then calls the PHP file resulting in a reverse shell running as root.
Root access was gained in a single step because the Sudo configuration allowed the www-data user to execute all commands as any user on the system.
The edit_account_user API did not verify the CID session value. This was leveraged to silently take over the admin account. When updating the email address of admin via the API, the current email address is not notified that a change was made to the account.
Now that the address for admin account had been updated, a “Forgot password” request may be initiated.
Within 60 seconds a one-time password (token) was sent to the updated admin email address under our control.
The token was submitted via the “Account Verification” page.
At this point a new password could be set for the admin account, concluding a successful account takeover attack.
The latest version of the Aviatrix Cloud Controller properly validates the CID value and adds additional hardening and authorization checks. Attempting to access the APIs from an unauthenticated view returns an error.
CVE NumberFix VersionFix TypeVulnerabilityAffected ProductRatingDescription2020-26553R6.0.2483 (8/4/2020)Upgrade + MigrationPre-auth Remote
Code ExecutionAviatrix Cloud Controller
4.6CriticalAPI file doesn’t require valid session ID & allows arbitrary files to be uploaded to web tree2020-26552R5.4.1290 (8/5/2020)UpgradePre-auth Account
TakeoverAviatrix Cloud Controller
UserConnect-5.3.1516CriticalAPI file doesn’t require valid session & allows for account email address updates2020-26550R5.3.1551 (6/4/2020)Upgrade + MigrationInsufficiently Protected CredentialsAviatrix Cloud Controller
UserConnect-5.3.1516CriticalEncrypted file containing credentials to unrelated systems is protected by a weak key2020-26553R6.0.2483 (8/4/2020)UpgradePost-auth Remote Code ExecutionAviatrix Cloud Controller
UserConnect-5.3.1516HighSeveral APIs contain functions that allow arbitrary files to be uploaded to web tree2020-26551AMI Software Version 050120
(Aug 13, 2020)Upgrade + MigrationCleartext Storage of Cryptographic KeyAviatrix Cloud Controller
UserConnect-5.3.1516HighEncrypted key values are stored in cleartext in a readable file2020-134172.10.8 – May 14 2020UpgradeIncomplete Fix for CVE-2020-7224 Elevation of PrivilegeAviatrix VPN Client 2.8.2
macOS, Linux, WindowsHighVulnerability was previously reported & an incomplete patch was releasedPending2.10.8 – May 14 2020UpgradeArbitrary File WriteAviatrix VPN Client 2.8.2
macOS, LinuxHighVPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system2020-13413R5.4.1290 (8/5/2020)UpgradeObservable Response Discrepancy – User EnumerationAviatrix Cloud Controller
Aviatrix Cloud Controller
UserConnect-5.3.1516MediumAn API can be used to enumerate valid accounts2020-26548R5.4.1290 (8/5/2020)UpgradeInsecure sudo ruleAviatrix Cloud Controller
UserConnect-5.3.1516MediumUser account has permission to execute all commands as any user on the systemPendingR5.4.1290 (8/5/2020)UpgradeInsecure File PermissionsAviatrix Cloud Controller
UserConnect-5.3.1516MediumSeveral world writable files and directories were found2020-13414R5.4.1290 (8/5/2020)UpgradeHard-coded CredentialsAviatrix Cloud Controller
UserConnect-5.3.1516LowAviatrix Cloud Controller contains credentials unused by the software2020-26549R5.4.1290 (8/5/2020)UpgradeBypass htaccess security controlAviatrix Cloud Controller
UserConnect-5.3.1516LowThe htaccess control to prevent requests to directories can be bypassed for file downloading
04/13/2020 – Initiated contact with the vendor to determine a secure method to transmit the report.
04/20/2020 – Conference call with the vendor; report sent.
05/05/2020 – Conference call with the vendor.
06/30/2020 – Conference call with the vendor.
07/08/2020 – The vendor provided a test environment to verify the patches.
07/10/2020 – Verified critical vulnerabilities were mitigated.
07/21/2020 – Conference call with the vendor.
10/01/2020 – Conference call with the vendor.
10/19/2020 – Updated CVE list received along with customer upgrade instructions.