PSIRT Advisories

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

Remote Code Execution

Date 05/27/2022

Risk Rating AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

Description Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

Impact An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

Affected Products Aviatrix Controller and Gateways.

Solution: Upgrade your controller and gateway software to:

  • 6.4.3057

  • 6.5.3233

  • 6.6.5612

  • 6.7.1185

Post-Auth Remote Code Execution

Date 04/11/2022

Risk Rating High

Description TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

Impact A local user to the controller UI could execute arbitrary code.

Affected Products Aviatrix Controller.

Solution: Upgrade your controller and gateway software to:

  • 6.4.3049

  • 6.5.3166

  • 6.6.5545

Aviatrix Controller and Gateways - Privilege Escalation

Date 02/03/2022

Risk Rating Medium

Description The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

Impact A local user to our appliances can escalate his privileges to root.

Affected Products Aviatrix Controller and Gateways.

Solution

  • Upgrade Copilot to Release 1.6.3.

  • Apply security patch [AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches] to controllers.

Aviatrix Controller and Gateways - Unauthorized Access

Date 11 Nov 2022

Risk Rating High for Gateways, medium for Controller.

Description On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

Impact Access to configuration information and disruption of service.

Affected Products Aviatrix Controller, Gateways and Copilot.

Solution Upgrade your controller and gateway software to

  • 6.4.2995 or later.

  • 6.5.2898 or later.