CVE-2021-40870

What is Aviatrix Controller?

Aviatrix is a cloud networking platform that provides centralized management for multi-cloud network connectivity across AWS, Azure, GCP, and Oracle Cloud. The Aviatrix Controller is the management plane — a central appliance or VM that manages routing, security policies, VPN gateways, and network configuration across an organization's entire multi-cloud infrastructure. Because the Controller manages cloud networking for the entire organization, compromising it provides an attacker with the ability to manipulate cloud network routes, security groups, and connectivity — effectively gaining control over how cloud workloads communicate.

Overview

CVE-2021-40870 is an unauthenticated unrestricted file upload with directory traversal (CWE-23) in the Aviatrix Controller. An unauthenticated remote attacker can upload files to arbitrary locations on the Controller's filesystem by exploiting directory traversal in the file path parameter. By uploading a PHP or Python script to a web-accessible directory, the attacker achieves remote code execution on the Aviatrix Controller. This provides access to the Controller's cloud credentials and the ability to manipulate multi-cloud networking infrastructure.

Affected Versions

Technical Details

The Aviatrix Controller web application includes a file upload endpoint that is accessible without authentication. The endpoint accepts a filename parameter that is not adequately sanitized against directory traversal sequences:

• Root cause: Unrestricted file upload (CWE-23) with path traversal — attacker-controlled filename allows writing files to arbitrary filesystem paths
• Authentication required: None — the upload endpoint is accessible pre-authentication
• Attack path: Upload a PHP/Python webshell with a path traversal sequence in the filename to place the webshell in a web-accessible directory → access the webshell URL to execute commands
• Execution context: Commands execute as the Controller's web server process (typically with elevated privileges on the Controller VM)
• Cloud credential access: The Aviatrix Controller holds IAM credentials for all connected cloud accounts — code execution provides access to these credentials, enabling full cloud infrastructure manipulation

Discovery

Identified by security researchers examining the Aviatrix Controller's web application security posture. The multi-cloud management plane position makes this a high-value target.

Exploitation Context

Aviatrix Controllers are typically internet-accessible (as they manage cloud connectivity for distributed cloud environments). A compromised Aviatrix Controller provides an attacker with access to cloud IAM credentials for all connected cloud accounts, the ability to modify network routing and security policies, and potential access to all cloud workloads connected through Aviatrix gateways. This is a cloud management plane takeover scenario.

Remediation

1. Apply the Aviatrix Controller software update addressing CVE-2021-40870
2. Restrict access to the Aviatrix Controller web interface to trusted management IPs using cloud security groups or firewall rules — it should not be internet-accessible without IP allowlisting
3. Enable multi-factor authentication for all Aviatrix Controller administrative accounts
4. Audit Aviatrix Controller access logs for unauthorized file upload requests
5. Review connected cloud account IAM activity for unauthorized credential use following the potential compromise window
6. Rotate all cloud IAM credentials associated with the Aviatrix Controller's cloud accounts