Multiple Vulnerabilities Discovered in Aviatrix
- Aviatrix Cloud Controller UserConnect-5.3.1516
- Aviatrix VPN Client 2.8.2
Security Advisories: https://docs.aviatrix.com/HowTos/security_bulletin_article.html
CRITICALSTART‘s TEAMARES recently discovered multiple vulnerabilities in the Aviatrix Cloud Controller appliance v5.3.1516 and Aviatrix VPN client v2.8.2 for Linux, macOS, and Windows. TEAMARES would like to thank the Aviatrix security team for partnering with us to get the issues resolved.
The Aviatrix security team provided the following upgrade instructions.
- Upgrade – This is a software upgrade and does not fix previous versions. All security issues, bugs, and features are fixed in new releases. We recommend that the customer stay updated with the latest release to resolve security vulnerabilities. Software upgrades are typically released in a 4-6 week schedule. There is no software downtime to perform software upgrades. When a new software upgrade is available, Aviatrix Admin will receive an alert on the Controller console. When a particular release contains security patch, a field notice will be published. Field notices are emailed to Aviatrix Controller Administrator and it is also communicated in our documentation: https://docs.aviatrix.com/HowTos/field_notices.html.
- Migration – This is an appliance upgrade. When performing a migration, the system is shutting down your previous controller, gateway instances, and launching a new image. The automated processes will grab the image from Aviatrix’s authorized service and check to make sure the latest backup is performed. Once the validation checks are completed, the system will automate a migration performed locally. Please note that the controller will control the Gateway migration.
To see your latest software upgrade, migration option, and Gateway version, login as admin to the Aviatrix Controller console > Settings > Maintenance > Upgrade. See the image below.
Aviatrix cloud-native networking establishes an abstraction layer between the public cloud providers’ native networking and security constructs and the application to simplify networking in AWS, Azure, Google Cloud, and Oracle.
The Aviatrix Controller and Gateways are deployed as software in your VPCs and VNETs. The Aviatrix Controller provides programmatic control over the native constructs so you can easily take advantage of the cloud providers existing services. Additionally, the same Aviatrix Controller enables you to extend the native services by adding enterprise-class control for hybrid connectivity, data security, multi-cloud operations, monitoring, and troubleshooting.
This blog will focus on two critical unauthenticated vulnerabilities discovered in the Aviatrix Cloud Controller. The complete list of vulnerabilities are listed in the vulnerabilities table at the end of this blog. To manage the controller, an administrator must log in to the web console.
The controller also supports a set of APIs available to manage the appliance. The Aviatrix API Documentation states the “CID” parameter represents the session identifier, which the majority of API calls require.
Through dynamic and static code analysis, we discovered two sensitive API calls. The setup_network_options and edit_account_user APIs should require administrator-level access but did not validate the CID parameter. The setup_network_options API was leveraged to achieve unauthenticated remote code execution, and the edit_account_user API could be used to take control of the administrator account.
Pre-Auth Remote Code Execution
Reviewing the source code of the setup_network_options API function shows a call to the move_uploaded_file() PHP function. This function does what it sounds like and moves a file from one location to another after an HTTP POST request.
The setup_network_options API could be used to upload a new proxy certificate; however, the input filename and certificate content was not validated or sanitized. This allowed arbitrary files to be uploaded. The TMPDIR constant was set to the tmp directory inside of the webserver root. This path is used by several functions to stage uploaded files before processing. The location is protected by an Apache .htaccess file which by default denied all HTTP requests. This configuration effectively blocked the access/execution of any .php script files that could be uploaded.
Upon further investigation, the tmp directory was discovered with directory permissions set to be world-writable (777). This allowed the www-data user to create and update files under this directory, thus allowing the www-data account to also overwrite the .htaccess file.
The exploit was updated to first upload a new .htaccess file with an allow directive from our IP address.
The exploit now uploads a new .htaccess file, the PHP exploit (web shell), and then calls the PHP file resulting in a reverse shell running as root.
Root access was gained in a single step because the Sudo configuration allowed the www-data user to execute all commands as any user on the system.
Pre-Auth Account Takeover
The edit_account_user API did not verify the CID session value. This was leveraged to silently take over the admin account. When updating the email address of admin via the API, the current email address is not notified that a change was made to the account.
Now that the address for admin account had been updated, a “Forgot password” request may be initiated.
Within 60 seconds a one-time password (token) was sent to the updated admin email address under our control.
The token was submitted via the “Account Verification” page.
At this point a new password could be set for the admin account, concluding a successful account takeover attack.
The latest version of the Aviatrix Cloud Controller properly validates the CID value and adds additional hardening and authorization checks. Attempting to access the APIs from an unauthenticated view returns an error.
|CVE Number||Fix Version||Fix Type||Vulnerability||Affected Product||Rating||Description|
|2020-26553||R6.0.2483 (8/4/2020)||Upgrade + Migration||Pre-auth Remote|
|Aviatrix Cloud Controller|
|Critical||API file doesn’t require valid session ID & allows arbitrary files to be uploaded to web tree|
|2020-26552||R5.4.1290 (8/5/2020)||Upgrade||Pre-auth Account|
|Aviatrix Cloud Controller|
|Critical||API file doesn’t require valid session & allows for account email address updates|
|2020-26550||R5.3.1551 (6/4/2020)||Upgrade + Migration||Insufficiently Protected Credentials||Aviatrix Cloud Controller|
|Critical||Encrypted file containing credentials to unrelated systems is protected by a weak key|
|2020-26553||R6.0.2483 (8/4/2020)||Upgrade||Post-auth Remote Code Execution||Aviatrix Cloud Controller|
|High||Several APIs contain functions that allow arbitrary files to be uploaded to web tree|
|2020-26551||AMI Software Version 050120|
(Aug 13, 2020)
|Upgrade + Migration||Cleartext Storage of Cryptographic Key||Aviatrix Cloud Controller|
|High||Encrypted key values are stored in cleartext in a readable file|
|2020-13417||2.10.8 – May 14 2020||Upgrade||Incomplete Fix for CVE-2020-7224 Elevation of Privilege||Aviatrix VPN Client 2.8.2|
macOS, Linux, Windows
|High||Vulnerability was previously reported & an incomplete patch was released|
|Pending||2.10.8 – May 14 2020||Upgrade||Arbitrary File Write||Aviatrix VPN Client 2.8.2|
|High||VPN service writes logs to a location that is world writable and can be leveraged to gain write access to any file on the system|
|2020-13413||R5.4.1290 (8/5/2020)||Upgrade||Observable Response Discrepancy – User Enumeration||Aviatrix Cloud Controller|
Aviatrix Cloud Controller
|Medium||An API can be used to enumerate valid accounts|
|2020-26548||R5.4.1290 (8/5/2020)||Upgrade||Insecure sudo rule||Aviatrix Cloud Controller|
|Medium||User account has permission to execute all commands as any user on the system|
|Pending||R5.4.1290 (8/5/2020)||Upgrade||Insecure File Permissions||Aviatrix Cloud Controller|
|Medium||Several world writable files and directories were found|
|2020-13414||R5.4.1290 (8/5/2020)||Upgrade||Hard-coded Credentials||Aviatrix Cloud Controller|
|Low||Aviatrix Cloud Controller contains credentials unused by the software|
|2020-26549||R5.4.1290 (8/5/2020)||Upgrade||Bypass htaccess security control||Aviatrix Cloud Controller|
|Low||The htaccess control to prevent requests to directories can be bypassed for file downloading|
04/13/2020 – Initiated contact with the vendor to determine a secure method to transmit the report.
04/20/2020 – Conference call with the vendor; report sent.
05/05/2020 – Conference call with the vendor.
06/30/2020 – Conference call with the vendor.
07/08/2020 – The vendor provided a test environment to verify the patches.
07/10/2020 – Verified critical vulnerabilities were mitigated.
07/21/2020 – Conference call with the vendor.
10/01/2020 – Conference call with the vendor.
10/19/2020 – Updated CVE list received along with customer upgrade instructions.
Discovered by Rich Mirch, Senior Adversarial Engineer for TEAMARES at CRITICALSTART
CRITICALSTART’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.
Follow us on Twitter @TeamAresSec and @CRITICALSTART to stay up to date on vulnerability discoveries and cybersecurity news.
*** This is a Security Bloggers Network syndicated blog from Blog – Critical Start authored by TEAMARES Staff. Read the original post at: https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix/