CVE-2021-40870
Published: 13 September 2021
Summary
CVE-2021-40870 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Aviatrix Controller. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability tracked as CVE-2021-40870 is an unrestricted file upload flaw that permits dangerous file types and leads to arbitrary code execution through directory traversal. It affects the Aviatrix Controller in all 6.x releases prior to 6.5-1804.1922 and is assigned CWE-23 with a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can upload a malicious file and traverse directories to place and execute arbitrary code on the controller, resulting in full confidentiality, integrity, and availability impact without any required user interaction.
Public advisories and release notes from Aviatrix dated 9 September 2021, along with the TradeCraft advisory TC-2021-0002, direct customers to apply the fixed version 6.5-1804.1922 or later; exploit code demonstrating the issue has been published on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-28025
Vulnerability details
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of file types, names, and paths on upload, directly blocking the dangerous-file and directory-traversal vectors that enable unauthenticated RCE.
Requires the system to enforce authentication and authorization before allowing any file-upload or write operations, eliminating the unauthenticated access path described in the CVE.
Deploys malicious-code scanning and execution controls on received files, limiting the ability of an uploaded payload to achieve arbitrary code execution on the controller.