Multiple Vulnerabilities Discovered in Aviatrix | Critical Start
Learn real world attack and defense strategies with Adversarial Emulation and Active Defense training from TEAMARES
TEAMARES launches Breach Attack as a Service for quick testing whenever your environment changes.
Webinar Series | Once More unto the Breach | Lessons Learned from Billion Dollar Breaches

Multiple Vulnerabilities Discovered in Aviatrix


Versions Tested:

  • Aviatrix Cloud Controller UserConnect-5.3.1516
  • Aviatrix VPN Client 2.8.2

Product: https://aviatrix.com/cloud-network-platform/

Security Advisories: https://docs.aviatrix.com/HowTos/security_bulletin_article.html

 

Summary:

CRITICALSTART‘s TEAMARES  recently discovered multiple vulnerabilities in the Aviatrix Cloud Controller appliance v5.3.1516 and Aviatrix VPN client v2.8.2 for Linux, macOS, and Windows. TEAMARES would like to thank the Aviatrix security team for partnering with us to get the issues resolved.

The Aviatrix security team provided the following upgrade instructions.

  1. Upgrade – This is a software upgrade and does not fix previous versions. All security issues, bugs, and features are fixed in new releases. We recommend that the customer stay updated with the latest release to resolve security vulnerabilities. Software upgrades are typically released in a 4-6 week schedule. There is no software downtime to perform software upgrades. When a new software upgrade is available, Aviatrix Admin will receive an alert on the Controller console. When a particular release contains security patch, a field notice will be published. Field notices are emailed to Aviatrix Controller Administrator and it is also communicated in our documentation: https://docs.aviatrix.com/HowTos/field_notices.html.

  2. Migration – This is an appliance upgrade. When performing a migration, the system is shutting down your previous controller, gateway instances, and launching a new image. The automated processes will grab the image from Aviatrix’s authorized service and check to make sure the latest backup is performed. Once the validation checks are completed, the system will automate a migration performed locally. Please note that the controller will control the Gateway migration.

 

To see your latest software upgrade, migration option, and Gateway version, login as admin to the Aviatrix Controller console > Settings > Maintenance > Upgrade. See the image below.

Figure 1: Aviatrix Console

Product Overview:

Aviatrix cloud-native networking establishes an abstraction layer between the public cloud providers’ native networking and security constructs and the application to simplify networking in AWS, Azure, Google Cloud, and Oracle.

The Aviatrix Controller and Gateways are deployed as software in your VPCs and VNETs. The Aviatrix Controller provides programmatic control over the native constructs so you can easily take advantage of the cloud providers existing services. Additionally, the same Aviatrix Controller enables you to extend the native services by adding enterprise-class control for hybrid connectivity, data security, multi-cloud operations, monitoring, and troubleshooting.

Source: https://aviatrix.com/features/

 

Details:

This blog will focus on two critical unauthenticated vulnerabilities discovered in the Aviatrix Cloud Controller. The complete list of vulnerabilities are listed in the vulnerabilities table at the end of this blog. To manage the controller, an administrator must log in to the web console.

Figure 2: Controller Login Screen

The controller also supports a set of APIs available to manage the appliance. The Aviatrix API Documentation states the “CID” parameter represents the session identifier, which the majority of API calls require.

Figure 3: Aviatrix API Documentation

Through dynamic and static code analysis, we discovered two sensitive API calls. The setup_network_options and edit_account_user APIs should require administrator-level access but did not validate the CID parameter. The setup_network_options API was leveraged to achieve unauthenticated remote code execution, and the edit_account_user API could be used to take control of the administrator account.

 

Pre-Auth Remote Code Execution

Reviewing the source code of the setup_network_options API function shows a call to the move_uploaded_file() PHP function. This function does what it sounds like and moves a file from one location to another after an HTTP POST request.

Figure 4: Vulnerable Code

The setup_network_options API could be used to upload a new proxy certificate; however, the input filename and certificate content was not validated or sanitized. This allowed arbitrary files to be uploaded. The TMPDIR constant was set to the tmp directory inside of the webserver root. This path is used by several functions to stage uploaded files before processing. The location is protected by an Apache .htaccess file which by default denied all HTTP requests. This configuration effectively blocked the access/execution of any .php script files that could be uploaded.

Upon further investigation, the tmp directory was discovered with directory permissions set to be world-writable (777). This allowed the www-data user to create and update files under this directory, thus allowing the www-data account to also overwrite the .htaccess file.

Figure 5: World Writable Directory

The exploit was updated to first upload a new .htaccess file with an allow directive from our IP address.

Figure 6: Updated .htaccess file

The exploit now uploads a new .htaccess file, the PHP exploit (web shell), and then calls the PHP file resulting in a reverse shell running as root.

Figure 7: Remote Code Execution

Root access was gained in a single step because the Sudo configuration allowed the www-data user to execute all commands as any user on the system.

Figure 8: Sudoers

Pre-Auth Account Takeover

The edit_account_user API did not verify the CID session value. This was leveraged to silently take over the admin account. When updating the email address of admin via the API, the current email address is not notified that a change was made to the account.

Figure 9: Exploit

Now that the address for admin account had been updated, a “Forgot password” request may be initiated.

Figure 10: Forgot Password

Within 60 seconds a one-time password (token) was sent to the updated admin email address under our control.

The token was submitted via the “Account Verification” page.

Figure 12: OTP Code Screen

At this point a new password could be set for the admin account, concluding a successful account takeover attack.

Figure 13: Password Reset

The latest version of the Aviatrix Cloud Controller properly validates the CID value and adds additional hardening and authorization checks. Attempting to access the APIs from an unauthenticated view returns an error.

Figure 14: Error Message
CVE NumberFix VersionFix TypeVulnerabilityAffected ProductRatingDescription
2020-26553R6.0.2483 (8/4/2020)Upgrade + MigrationPre-auth Remote
Code Execution
Aviatrix Cloud Controller
UserConnect-5.3.1516
4.6
CriticalAPI file doesn’t require valid session ID & allows arbitrary files to be uploaded to web tree
2020-26552R5.4.1290 (8/5/2020)UpgradePre-auth Account
Takeover
Aviatrix Cloud Controller
UserConnect-5.3.1516
CriticalAPI file doesn’t require valid session & allows for account email address updates
2020-26550R5.3.1551 (6/4/2020)Upgrade + MigrationInsufficiently Protected CredentialsAviatrix Cloud Controller
UserConnect-5.3.1516
CriticalEncrypted file containing credentials to unrelated systems is protected by a weak key
2020-26553R6.0.2483 (8/4/2020)UpgradePost-auth Remote Code ExecutionAviatrix Cloud Controller
UserConnect-5.3.1516
HighSeveral APIs contain functions that allow arbitrary files to be uploaded to web tree
2020-26551AMI Software Version 050120
(Aug 13, 2020)
Upgrade + MigrationCleartext Storage of Cryptographic KeyAviatrix Cloud Controller
UserConnect-5.3.1516
HighEncrypted key values are stored in cleartext in a readable file
2020-134172.10.8 – May 14 2020UpgradeIncomplete Fix for CVE-2020-7224 Elevation of PrivilegeAviatrix VPN Client 2.8.2
macOS, Linux, Windows
HighVulnerability was previously reported & an incomplete patch was released
Pending2.10.8 – May 14 2020UpgradeArbitrary File WriteAviatrix VPN Client 2.8.2
macOS, Linux
HighVPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system
2020-13413R5.4.1290 (8/5/2020)UpgradeObservable Response Discrepancy – User EnumerationAviatrix Cloud Controller
Aviatrix Cloud Controller
UserConnect-5.3.1516
MediumAn API can be used to enumerate valid accounts
2020-26548R5.4.1290 (8/5/2020)UpgradeInsecure sudo ruleAviatrix Cloud Controller
UserConnect-5.3.1516
MediumUser account has permission to execute all commands as any user on the system
PendingR5.4.1290 (8/5/2020)UpgradeInsecure File PermissionsAviatrix Cloud Controller
UserConnect-5.3.1516
MediumSeveral world writable files and directories were found
2020-13414R5.4.1290 (8/5/2020)UpgradeHard-coded CredentialsAviatrix Cloud Controller
UserConnect-5.3.1516
LowAviatrix Cloud Controller contains credentials unused by the software
2020-26549R5.4.1290 (8/5/2020)UpgradeBypass htaccess security controlAviatrix Cloud Controller
UserConnect-5.3.1516
LowThe htaccess control to prevent requests to directories can be bypassed for file downloading

Timeline:

04/13/2020 – Initiated contact with the vendor to determine a secure method to transmit the report.
04/20/2020 – Conference call with the vendor; report sent.
05/05/2020 – Conference call with the vendor.
06/30/2020 – Conference call with the vendor.
07/08/2020 – The vendor provided a test environment to verify the patches.
07/10/2020 – Verified critical vulnerabilities were mitigated.
07/21/2020 – Conference call with the vendor.
10/01/2020 – Conference call with the vendor.
10/19/2020 – Updated CVE list received along with customer upgrade instructions.

 

Credit:

Discovered by Rich Mirch, Senior Adversarial Engineer  for TEAMARES at CRITICALSTART

 

Our Team:

CRITICALSTART’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec and @CRITICALSTART to stay up to date on vulnerability discoveries and cybersecurity news.

Contact an MDR Specialist Today

Get in Touch
NEXT RESOURCE

Related Content

Categories