PSIRT Advisories
The Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket on the Aviatrix Support Portal. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.
Please note the below Aviatrix Security recommendations and communication plans:
-
Aviatrix strongly recommend customers stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions.
-
Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch.
-
All known software vulnerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems.
-
Aviatrix publishes Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published.
Aviatrix Egress FQDN Firewall Security Misconfiguration
Date 04/02/2024
CVE # CVE-2023-52087
Risk Rating 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
Aviatrix discovered a security issue related to the Aviatrix Egress FQDN Firewall. In prior releases, the firewall would ALLOW traffic on TLS ports for non-TLS traffic or for TLS traffic which did not have SNI headers.
The current release will change the default behavior to DENY for non-TLS traffic or TLS traffic without SNI data on the TLS port (tcp/443).
This is a breaking change from prior releases, so be sure to see the Solutions section of this advisory if this functionality must be preserved.
Impact
Packets that should be blocked by the Egress FQDN Firewall will be allowed through unexpectedly.
Affected Products
All versions before:
-
7.1.3006
-
7.0.2239
-
6.9.822
-
6.8.1826
Solution
If you require allowing non-TLS traffic egress over HTTPS port, perform the following:
-
Aviatrix Controller > Security > Egress Control > 3. Egress FQDN Filer > Global Config (CLICK).
-
ENABLE "non-TLS traffic over HTTPS port" under Global Settings. For release 7.0.2239 and 7.1.3006 this can be done from the Controller UI. For release 6.9.822 or 6.8.1826 this cannot be done from the UI.
-
If you choose to revert back to the old default behavior in release 6.9.822 or 6.8.1826, please contact Aviatrix Support who can help you toggle to ALLOW for this feature.
Since the non-TLS traffic using HTTPS port (tcp/443) is not logged in the syslog messages, there is no way to detect (in prior releases) this kind of traffic on the Aviatrix Controller/CoPilot UI.
Aviatrix Egress FQDN Firewall High-Availability Security Misconfiguration
Date 04/02/2024
CVE # CVE-2023-52087
Risk Rating 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
If an Aviatrix Egress FQDN HA gateway is launched after an Egress FQDN tag is attached to the main gateway, then the HA gateway is launched in non-enforcing mode. The non-enforcing setting is clearly visible on the Controller UI. In this configuration, when the primary drops, the secondary will not enforce as expected.
Impact
The secondary Egress FQDN Firewall may come up in non-enforcing mode. This will potentially allow traffic through the Egress FQDN Firewall unexpectedly.
Affected Products
All versions before:
-
7.1.3006
-
7.0.2239
-
6.9.822
-
6.8.1826
Solution
-
If you are running affected Aviatrix software releases and have existing HA Egress Firewall Gateways, temporarily remove the Egress FQDN Filter tag from the primary gateway and then re-add it.
-
If you are running affected Aviatrix software releases and creating new HA Egress Firewall Gateways, create the HA gateway before assigning an Egress FQDN Filter tag.
-
The latest Aviatrix software revisions have resolved this issue and no action is needed.
Remote Code Execution
Date 27 May 2022
Risk Rating AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)
Description Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.
Impact An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.
Affected Products Aviatrix Controller and Gateways.
Solution: Upgrade your controller and gateway software to:
-
6.4.3057
-
6.5.3233
-
6.6.5612
-
6.7.1185
Post-Auth Remote Code Execution
Date 11 April 2022
Risk Rating High
Description TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.
Impact A local user to the controller UI could execute arbitrary code.
Affected Products Aviatrix Controller.
Solution: Upgrade your controller and gateway software to: * 6.4.3049 * 6.5.3166 * 6.6.5545
Aviatrix Controller and Gateways - Privilege Escalation
Date 03 Feb 2022
Risk Rating Medium
Description The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.
Impact A local user to our appliances can escalate his privileges to root.
Affected Products Aviatrix Controller and Gateways.
- Solution
-
-
Upgrade Copilot to Release 1.6.3.
-
Apply security patch [AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches] to controllers.
-
Aviatrix Controller and Gateways - Unauthorized Access
Date 11 Jan 2022
Risk Rating High for Gateways, medium for Controller.
Description On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.
Impact Access to configuration information and disruption of service.
Affected Products Aviatrix Controller, Gateways and Copilot.
- Solution Upgrade your controller and gateway software to
-
-
6.4.2995 or later.
-
6.5.2898 or later.
-