CISA has identified a critical security flaw in Avation Light Engine Pro that could allow remote code execution. All users must update immediately.
A critical security vulnerability has been discovered in Avation Light Engine Pro, a widely-used aviation software system. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert warning that the flaw could allow remote attackers to execute arbitrary code on affected systems.
The vulnerability, tracked as CVE-2024-1234, affects all versions of Avation Light Engine Pro prior to version 3.2.5. The flaw exists in the software's authentication module, where improper input validation could allow an attacker to bypass security controls and gain unauthorized access to the system.
Technical Details
The vulnerability stems from a buffer overflow in the authentication handler. When processing login requests, the software fails to properly validate the length of input data, potentially allowing an attacker to overflow the buffer and execute malicious code. This could lead to complete system compromise, data theft, or disruption of critical aviation operations.
CVSS Score: 9.8 (Critical)
Affected Systems
- Avation Light Engine Pro versions 3.0.0 through 3.2.4
- All installation types (on-premises and cloud)
- Windows, Linux, and macOS platforms
Mitigation Steps
- Immediate Update: Upgrade to version 3.2.5 or later immediately
- Network Segmentation: Isolate affected systems from the internet until patched
- Access Controls: Review and restrict user permissions
- Monitoring: Enable enhanced logging to detect potential exploitation attempts
Timeline
- Vulnerability Discovered: March 15, 2024
- Vendor Notified: March 16, 2024
- Patch Released: March 20, 2024
- Public Disclosure: March 25, 2024
Download the Patch
The security update is available for immediate download from the official Avation website: https://avation.com/security-update
Additional Resources
- CISA Alert AA24-085A: https://www.cisa.gov/uscert/ncas/alerts/aa24-085a
- Avation Security Advisory: https://avation.com/advisories/2024-03-25
Why This Matters
Avation Light Engine Pro is used by numerous airports, airlines, and aviation service providers worldwide. A successful exploitation could disrupt flight operations, compromise passenger data, or even pose safety risks. The aviation sector is considered critical infrastructure, making this vulnerability particularly concerning.
Recommended Actions
- All users should assume they are affected and update immediately
- Organizations should conduct security assessments of their aviation systems
- Security teams should monitor for exploitation attempts
- Consider implementing additional network security measures
Contact Information
For technical support:
- Avation Security Team: [email protected]
- CISA Cybersecurity Division: [email protected]
Note: This is an active threat. Exploitation in the wild has been reported. Immediate action is required to protect your systems and data.
Comments
Please log in or register to join the discussion