cbcvebase.
CVE-2021-40870
published 2021-09-13

CVE-2021-40870: An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
92.38%
99.8th percentile
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

Affected

4 ranges
VendorProductVersion rangeFixed in
aviatrixcontroller>= 6.2 < 6.2.20436.2.2043
aviatrixcontroller>= 6.3 < 6.3.24906.3.2490
aviatrixcontroller>= 6.4 < 6.4.28386.4.2838
aviatrixcontroller>= 6.5 < 6.5.19226.5.1922

Detection & IOCsextracted from sources · hover to see the quote

url/v1/backend1
path/../../../var/www/php/
commandCID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/<filename>.php&data=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:2; metadata:created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Exploit POST request targets /v1/backend1 with action=set_metric_gw_selections and a path-traversal sequence in the account_name parameter (e.g., /../../../var/www/php/<file>.php) to write a PHP webshell.
  • After the upload, the attacker retrieves the dropped PHP file via GET /v1/<filename>.php to confirm code execution; monitor for GET requests to /v1/*.php that were not previously present.
  • Shodan/FOFA fingerprint for exposed Aviatrix Controller instances: HTTP title 'aviatrix cloud controller'. Use this to identify internet-exposed targets.
  • The Snort/ET rule keys on the HTTP POST body containing both 'action=set_metric_gw_selections&account_name=' and '../../' within 10 bytes, followed by '&data='. This combination is highly specific to CVE-2021-40870 exploitation.
  • ·CVE-2021-40870 affects Aviatrix Controller 6.x before 6.5-1804.1922 only. Instances confirmed NOT vulnerable to CVE-2021-40870 but still running unpatched versions may be vulnerable to the separate CVE-2024-50603 RCE; do not conflate the two.
  • ·The IP 172.104.60[.]176 observed in CVE-2024-50603 actor operations is noted as likely a shared proxy server and therefore not strictly reliable as a standalone IOC.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.