PSIRT Advisories

Date 04/02/2024

CVE # CVE-2023-52087

Risk Rating 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Aviatrix discovered a security issue related to the Aviatrix Egress FQDN Firewall. In prior releases, the firewall would ALLOW traffic on TLS ports for non-TLS traffic or for TLS traffic which did not have SNI headers.

The current release will change the default behavior to DENY for non-TLS traffic or TLS traffic without SNI data on the TLS port (tcp/443).

This is a breaking change from prior releases, so be sure to see the Solutions section of this advisory if this functionality must be preserved.

Impact

Packets that should be blocked by the Egress FQDN Firewall will be allowed through unexpectedly.

Affected Products

All versions before:

Solution

If you require allowing non-TLS traffic egress over HTTPS port, perform the following:

Since the non-TLS traffic using HTTPS port (tcp/443) is not logged in the syslog messages, there is no way to detect (in prior releases) this kind of traffic on the Aviatrix Controller/CoPilot UI.

Date 04/02/2024

CVE # CVE-2023-52087

Risk Rating 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

If an Aviatrix Egress FQDN HA gateway is launched after an Egress FQDN tag is attached to the main gateway, then the HA gateway is launched in non-enforcing mode. The non-enforcing setting is clearly visible on the Controller UI. In this configuration, when the primary drops, the secondary will not enforce as expected.

Impact

The secondary Egress FQDN Firewall may come up in non-enforcing mode. This will potentially allow traffic through the Egress FQDN Firewall unexpectedly.

Affected Products

All versions before:

Solution

Date 05/27/2022

Risk Rating AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

Description Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.

Impact An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.

Affected Products Aviatrix Controller and Gateways.

Date 04/11/2022

Risk Rating High

Description TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.

Impact A local user to the controller UI could execute arbitrary code.

Affected Products Aviatrix Controller.

Date 02/03/2022

Risk Rating Medium

Description The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.

Impact A local user to our appliances can escalate his privileges to root.

Affected Products Aviatrix Controller and Gateways.

Date 11 Nov 2022

Risk Rating High for Gateways, medium for Controller.

Description On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.

Impact Access to configuration information and disruption of service.

Affected Products Aviatrix Controller, Gateways and Copilot.