Multiple Vulnerabilities Discovered in Aviatrix

November 12, 2020

Versions Tested:

  • Aviatrix Cloud Controller UserConnect-5.3.1516
  • Aviatrix VPN Client 2.8.2

Product: https://aviatrix.com/cloud-network-platform/

Security Advisories: https://docs.aviatrix.com/HowTos/security_bulletin_article.html

Summary:

CRITICALSTART‘s TEAMARES  recently discovered multiple vulnerabilities in the Aviatrix Cloud Controller appliance v5.3.1516 and Aviatrix VPN client v2.8.2 for Linux, macOS, and Windows. TEAMARES would like to thank the Aviatrix security team for partnering with us to get the issues resolved.

The Aviatrix security team provided the following upgrade instructions.

  1. Upgrade – This is a software upgrade and does not fix previous versions. All security issues, bugs, and features are fixed in new releases. We recommend that the customer stay updated with the latest release to resolve security vulnerabilities. Software upgrades are typically released in a 4-6 week schedule. There is no software downtime to perform software upgrades. When a new software upgrade is available, Aviatrix Admin will receive an alert on the Controller console. When a particular release contains security patch, a field notice will be published. Field notices are emailed to Aviatrix Controller Administrator and it is also communicated in our documentation: https://docs.aviatrix.com/HowTos/field_notices.html.
  2. Migration – This is an appliance upgrade. When performing a migration, the system is shutting down your previous controller, gateway instances, and launching a new image. The automated processes will grab the image from Aviatrix’s authorized service and check to make sure the latest backup is performed. Once the validation checks are completed, the system will automate a migration performed locally. Please note that the controller will control the Gateway migration.

To see your latest software upgrade, migration option, and Gateway version, login as admin to the Aviatrix Controller console > Settings > Maintenance > Upgrade. See the image below.

Figure 1: Aviatrix Console

Product Overview:

Aviatrix cloud-native networking establishes an abstraction layer between the public cloud providers’ native networking and security constructs and the application to simplify networking in AWS, Azure, Google Cloud, and Oracle.

The Aviatrix Controller and Gateways are deployed as software in your VPCs and VNETs. The Aviatrix Controller provides programmatic control over the native constructs so you can easily take advantage of the cloud providers existing services. Additionally, the same Aviatrix Controller enables you to extend the native services by adding enterprise-class control for hybrid connectivity, data security, multi-cloud operations, monitoring, and troubleshooting.

Source: https://aviatrix.com/features/

Details:

This blog will focus on two critical unauthenticated vulnerabilities discovered in the Aviatrix Cloud Controller. The complete list of vulnerabilities are listed in the vulnerabilities table at the end of this blog. To manage the controller, an administrator must log in to the web console.

Figure 2: Controller Login Screen

The controller also supports a set of APIs available to manage the appliance. The Aviatrix API Documentation states the “CID” parameter represents the session identifier, which the majority of API calls require.

Figure 3: Aviatrix API Documentation

Through dynamic and static code analysis, we discovered two sensitive API calls. The setup_network_options and edit_account_user APIs should require administrator-level access but did not validate the CID parameter. The setup_network_options API was leveraged to achieve unauthenticated remote code execution, and the edit_account_user API could be used to take control of the administrator account.

Pre-Auth Remote Code Execution

Reviewing the source code of the setup_network_options API function shows a call to the move_uploaded_file() PHP function. This function does what it sounds like and moves a file from one location to another after an HTTP POST request.

Figure 4: Vulnerable Code

The setup_network_options API could be used to upload a new proxy certificate; however, the input filename and certificate content was not validated or sanitized. This allowed arbitrary files to be uploaded. The TMPDIR constant was set to the tmp directory inside of the webserver root. This path is used by several functions to stage uploaded files before processing. The location is protected by an Apache .htaccess file which by default denied all HTTP requests. This configuration effectively blocked the access/execution of any .php script files that could be uploaded.

Upon further investigation, the tmp directory was discovered with directory permissions set to be world-writable (777). This allowed the www-data user to create and update files under this directory, thus allowing the www-data account to also overwrite the .htaccess file.

Figure 5: World Writable Directory

The exploit was updated to first upload a new .htaccess file with an allow directive from our IP address.

Figure 6: Updated .htaccess file

The exploit now uploads a new .htaccess file, the PHP exploit (web shell), and then calls the PHP file resulting in a reverse shell running as root.

Figure 7: Remote Code Execution

Root access was gained in a single step because the Sudo configuration allowed the www-data user to execute all commands as any user on the system.

Figure 8: Sudoers

Pre-Auth Account Takeover

The edit_account_user API did not verify the CID session value. This was leveraged to silently take over the admin account. When updating the email address of admin via the API, the current email address is not notified that a change was made to the account.

Figure 9: Exploit

Now that the address for admin account had been updated, a “Forgot password” request may be initiated.

Figure 10: Forgot Password

Within 60 seconds a one-time password (token) was sent to the updated admin email address under our control.

The token was submitted via the “Account Verification” page.

Figure 12: OTP Code Screen

At this point a new password could be set for the admin account, concluding a successful account takeover attack.

Figure 13: Password Reset

The latest version of the Aviatrix Cloud Controller properly validates the CID value and adds additional hardening and authorization checks. Attempting to access the APIs from an unauthenticated view returns an error.

Figure 14: Error Message
CVE Number
Fix Version
Fix Type
Vulnerability
Affected Product
Rating
Description
2020-26553
R6.0.2483 (8/4/2020)
Upgrade + Migration
Pre-auth Remote
Code Execution
Aviatrix Cloud Controller
UserConnect-5.3.1516
4.6
Critical
API file doesn’t require valid session ID & allows arbitrary files to be uploaded to web tree
2020-26552
R5.4.1290 (8/5/2020)
Upgrade
Pre-auth Account
Takeover
Aviatrix Cloud Controller
UserConnect-5.3.1516
Critical
API file doesn’t require valid session & allows for account email address updates
2020-26550
R5.3.1551 (6/4/2020)
Upgrade + Migration
Insufficiently Protected Credentials
Aviatrix Cloud Controller
UserConnect-5.3.1516
Critical
Encrypted file containing credentials to unrelated systems is protected by a weak key
2020-26553
R6.0.2483 (8/4/2020)
Upgrade
Post-auth Remote Code Execution
Aviatrix Cloud Controller
UserConnect-5.3.1516
High
Several APIs contain functions that allow arbitrary files to be uploaded to web tree
2020-26551
AMI Software Version 050120
(Aug 13, 2020)
Upgrade + Migration
Cleartext Storage of Cryptographic Key
Aviatrix Cloud Controller
UserConnect-5.3.1516
High
Encrypted key values are stored in cleartext in a readable file
2020-13417
2.10.8 – May 14 2020
Upgrade
Incomplete Fix for CVE-2020-7224 Elevation of Privilege
Aviatrix VPN Client 2.8.2
macOS, Linux, Windows
High
Vulnerability was previously reported & an incomplete patch was released
Pending
2.10.8 – May 14 2020
Upgrade
Arbitrary File Write
Aviatrix VPN Client 2.8.2
macOS, Linux
High
VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system
2020-13413
R5.4.1290 (8/5/2020)
Upgrade
Observable Response Discrepancy – User Enumeration
Aviatrix Cloud Controller
Aviatrix Cloud Controller
UserConnect-5.3.1516
Medium
An API can be used to enumerate valid accounts
2020-26548
R5.4.1290 (8/5/2020)
Upgrade
Insecure sudo rule
Aviatrix Cloud Controller
UserConnect-5.3.1516
Medium
User account has permission to execute all commands as any user on the system
Pending
R5.4.1290 (8/5/2020)
Upgrade
Insecure File Permissions
Aviatrix Cloud Controller
UserConnect-5.3.1516
Medium
Several world writable files and directories were found
2020-13414
R5.4.1290 (8/5/2020)
Upgrade
Hard-coded Credentials
Aviatrix Cloud Controller
UserConnect-5.3.1516
Low
Aviatrix Cloud Controller contains credentials unused by the software
2020-26549
R5.4.1290 (8/5/2020)
Upgrade
Bypass htaccess security control
Aviatrix Cloud Controller
UserConnect-5.3.1516
Low
The htaccess control to prevent requests to directories can be bypassed for file downloading

Timeline:

04/13/2020 – Initiated contact with the vendor to determine a secure method to transmit the report.
04/20/2020 – Conference call with the vendor; report sent.
05/05/2020 – Conference call with the vendor.
06/30/2020 – Conference call with the vendor.
07/08/2020 – The vendor provided a test environment to verify the patches.
07/10/2020 – Verified critical vulnerabilities were mitigated.
07/21/2020 – Conference call with the vendor.
10/01/2020 – Conference call with the vendor.
10/19/2020 – Updated CVE list received along with customer upgrade instructions.

Credit:

Discovered by Rich Mirch, Senior Adversarial Engineer for TEAMARES at CRITICALSTART

Our Team:

CRITICALSTART’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec and @CRITICALSTART to stay up to date on vulnerability discoveries and cybersecurity news.


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

©2020 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
©2021 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.