CVE-2021-40870: 
Aviatrix Controller vulnerability analysis and mitigation

An issue was discovered in Aviatrix Controller 6.x before version 6.5-1804.1922, identified as CVE-2021-40870. The vulnerability allows unrestricted upload of files with dangerous types, enabling unauthenticated users to execute arbitrary code through directory traversal. The vulnerability was discovered on May 12, 2021, reported to Aviatrix on August 24, 2021, and a fix was released on September 11, 2021 (Tradecraft Advisory).

The vulnerability exists because many API calls in the Aviatrix Controller do not enforce authentication checks. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, to the filesystem. These uploaded scripts are then processed by the web frontend, enabling arbitrary code execution. The vulnerability has been assigned a CVSS v3 Base Score of 9.8 (Critical), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction (Tradecraft Advisory).

The vulnerability allows attackers to execute arbitrary code on affected systems with high impact on confidentiality, integrity, and availability. The scope of the vulnerability is considered 'Changed', indicating potential system-wide compromise (Tradecraft Advisory).

Aviatrix has released patches to address this vulnerability. Users should upgrade to one of the following versions: UserConnect-6.2-1804.2043 or later, UserConnect-6.3-1804.2490 or later, UserConnect-6.4-1804.2838 or later, or UserConnect-6.5-1804.1922 or later (Tradecraft Advisory).

The vulnerability gained significant attention from the cybersecurity community, leading to its inclusion in CISA's Known Exploited Vulnerabilities Catalog on January 18, 2022, with a remediation due date of February 1, 2022 (CISA Alert).