CVE-2021-40870
published 2021-09-13CVE-2021-40870: An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
92.38%
99.8th percentile
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aviatrix | controller | >= 6.2 < 6.2.2043 | 6.2.2043 |
| aviatrix | controller | >= 6.3 < 6.3.2490 | 6.3.2490 |
| aviatrix | controller | >= 6.4 < 6.4.2838 | 6.4.2838 |
| aviatrix | controller | >= 6.5 < 6.5.1922 | 6.5.1922 |
Detection & IOCsextracted from sources · hover to see the quote
commandCID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/<filename>.php&data=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:2; metadata:created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Exploit POST request targets /v1/backend1 with action=set_metric_gw_selections and a path-traversal sequence in the account_name parameter (e.g., /../../../var/www/php/<file>.php) to write a PHP webshell.
- →After the upload, the attacker retrieves the dropped PHP file via GET /v1/<filename>.php to confirm code execution; monitor for GET requests to /v1/*.php that were not previously present.
- →Shodan/FOFA fingerprint for exposed Aviatrix Controller instances: HTTP title 'aviatrix cloud controller'. Use this to identify internet-exposed targets.
- →The Snort/ET rule keys on the HTTP POST body containing both 'action=set_metric_gw_selections&account_name=' and '../../' within 10 bytes, followed by '&data='. This combination is highly specific to CVE-2021-40870 exploitation.
- ·CVE-2021-40870 affects Aviatrix Controller 6.x before 6.5-1804.1922 only. Instances confirmed NOT vulnerable to CVE-2021-40870 but still running unpatched versions may be vulnerable to the separate CVE-2024-50603 RCE; do not conflate the two. ↗
- ·The IP 172.104.60[.]176 observed in CVE-2024-50603 actor operations is noted as likely a shared proxy server and therefore not strictly reliable as a standalone IOC. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w7mg-q4hh-m9cq: An issue was discovered in Aviatrix Controller 6
ghsa_unreviewed·2022-05-24
CVE-2021-40870 [CRITICAL] CWE-23 GHSA-w7mg-q4hh-m9cq: An issue was discovered in Aviatrix Controller 6
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
VulnCheck
Aviatrix Controller Unrestricted Upload of File
vulncheck·2021·CVSS 9.8
CVE-2021-40870 [CRITICAL] CWE-25 Aviatrix Controller Unrestricted Upload of File
Aviatrix Controller Unrestricted Upload of File
Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Affected: Aviatrix Aviatrix Controller
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attacks-trends-august-october-2021/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-01&host_type=src&vulnerability=cve-2021-40870; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-40870; https://dashboard.shadowserver.org/statisti
CISA
Aviatrix Controller Unrestricted Upload of File
cisa·2022-01-18·CVSS 9.8
CVE-2021-40870 [CRITICAL] CWE-25 Aviatrix Controller Unrestricted Upload of File
Vulnerability: Aviatrix Controller Unrestricted Upload of File
Affected: Aviatrix Aviatrix Controller
Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-40870
Remediation Due Date: 2022-02-01
Suricata
ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)
suricata·2021-10-09·CVSS 9.8
CVE-2021-40870 [CRITICAL] ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)
ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:2; metadata:created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0007, mitre_tactic_name
Nuclei
Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2021-40870 [CRITICAL] Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution
Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution
Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Template:
id: CVE-2021-40870
info:
name: Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution
author: pikpikcu
severity: critical
description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the
Wiz
Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
blogs_wiz·2025-01-11·CVSS 10.0
CVE-2024-50603 [CRITICAL] Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
Updated on 2025-01-19 to include additional investigation findings related to Sliver and Mirai infections.
CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions `7.1.4191` and `7.2.4996`.
When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk. A simple proof-of-concept exploit has been published, and Wiz Research has already observed exploitation in the wild resulting in cryptoj
Wiz
Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
blogs_wiz·2025-01-11·CVSS 10.0
[CRITICAL] Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
Updated on 2025-01-19 to include additional investigation findings related to Sliver and Mirai infections.
7.1.4191
7.2.4996
When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk. A simple proof-of-concept exploit has been published , and Wiz Research has already observed exploitation in the wild resulting in cryptojacking and backdoor deployment. For these reasons, it is highly recommended to upgrade Aviatrix Controller to the patched versions, conduct forensic investigation on the devices, and search for lateral movement attempts to the cloud control plane.
## What is CVE-2024-50603?
list_flightpath_destination_instances
flightpath_connection_test
cloud_type
src_cloud_type
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
[CRITICAL] Network Security Trends: August-October 2021
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from August-October 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, say, cross-site scripting or denial of service.
Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. For example, we chart a timeframe showing how frequently the most commonly exploited vulnerabilities were attacked through networks and the locations from which the att
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
CVE-2021-24499 [CRITICAL] Network Security Trends: August-October 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2021
Yue Guan
Published: December 21, 2021
Trend Reports
Vulnerabilities
Attack analysis
Buffer Overflow
Command injection
Cross-site request forgery
Cross-site scripting
CVE-2021-24499
CVE-2021-26084
CVE-2021-32789
CVE-2021-33357
CVE-2021-33766
CVE-2021-34473
CVE-2021-35395
CVE-2021-38647
CVE-2021-40438
CVE-2021-40870
CVE-2021-41773
CVE-2021-42013
Denial of service
Directory traversal
Exploit in the wild
Improper authentication
Information disclosure
Memory corruption
Network security trends
Out-of-bounds read
Privilege escalation
Remote Code Execution
Security feature bypass
SQL injection
## Executive Summary
Unit 42 researchers continually observe net
HackerOne
CVE-2021-40870 in [███]
hackerone·2021-11-15·CVSS 9.8
CVE-2021-40870 [CRITICAL] CVE-2021-40870 in [███]
CVE-2021-40870 in [███]
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
The IP has a SSL certificate pointing to Informatica LLC.
``curl -kvI https://█████████``
Output
```
Server certificate:
* subject: ██████
```
## Steps To Reproduce
First, run this request:
```
POST /v1/backend1 HTTP/1.1
Host: ████████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/ph
HackerOne
CVE-2021-40870 on [52.204.160.31]
hackerone·2021-10-06·CVSS 9.8
CVE-2021-40870 [CRITICAL] CVE-2021-40870 on [52.204.160.31]
CVE-2021-40870 on [52.204.160.31]
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
The IP has a SSL certificate pointing to ElasticSearch.
``curl -kv https://52.204.160.31``
Output
```
Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Elasticsearch, Inc.; CN=*.elasticit.co
```
## Steps To Reproduce
First, run this request:
```
POST /v1/backend1 HTTP/1.1
Host: 52.204.160.31
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Accept
http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.htmlhttps://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021https://wearetradecraft.com/advisories/tc-2021-0002/http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.htmlhttps://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021https://wearetradecraft.com/advisories/tc-2021-0002/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40870
2021-09-13
Published
2022-01-18
Added to CISA KEV
Exploited in the wild