CISA warns of CVE-2024-39717 in Versa Director, urging updates to version 22.1.4, MFA usage, and strengthening network security to prevent exploitation.

Key Takeaways

• This CVE-2024-39717 vulnerability impacts Versa Director, a key platform for managing Versa SD-WAN solutions used by ISPs and MSPs.
• CVE-2024-39717 involves an unrestricted file upload flaw that allows authenticated users to upload malicious files disguised as .png images.
• Exploitation of this flaw can lead to unauthorized access and potential system compromise, posing a serious risk to affected organizations.
• Cyble’s scan reveals 31 internet-exposed instances of Versa Director, with 16 in the U.S., indicating significant potential for exploitation.
• An APT actor has exploited the vulnerability due to a failure to implement recommended firewall and hardening measures.
• Users are advised to upgrade to Versa Director version 22.1.4 or later and follow additional security practices to mitigate risks.

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as CVE-2024-39717, affects Versa Director, a widely used management platform for Versa SD-WAN solutions. Despite not being classified as a critical flaw, this zero-day vulnerability targets many users using Versa Director’s services.

Versa Director is crucial for managing network configurations for Versa’s SD-WAN software, which is commonly utilized by internet service providers (ISPs) and managed service providers (MSPs). The impact of a single exposure can be considerable, highlighting why CISA has flagged this vulnerability as a critical concern.

Technical Details of CVE-2024-39717

CVE-2024-39717 has received a 7.2 (high) rating from the NIST National Vulnerability Database (NVD). The vulnerability is categorized as an unrestricted file upload issue, which allows authenticated users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to upload malicious files disguised as .png images through the “Change Favicon” feature.

This flaw affects several versions of Versa Director:

• 21.2.3
• 22.1.2
• 22.1.3

The exploitation of this vulnerability requires successful authentication and login by an attacker with the appropriate privileges. Once exploited, it can lead to significant security risks, including unauthorized access and potential system compromise.

According to Cyble’s ODIN vulnerability scanning platform, 31 Versa Director instances are internet-exposed, 16 of which are located in the United States. This limited exposure could still result in substantial security risks, given the critical role Versa Director plays in network management for ISPs and MSPs.

The vendor has confirmed that CVE-2024-39717 has been exploited in at least one reported case by an APT (Advanced Persistent Threat) actor. This exploitation was made possible because the affected customer failed to implement the firewall requirements issued in 2015 and system hardening measures introduced in 2017. The oversight allowed the attacker to exploit the vulnerability without needing to interact with the graphical user interface (GUI).

Conclusion

The CVE-2024-39717 vulnerability in Versa Director represents a significant security risk for organizations using Versa SD-WAN solutions. While the CVSS score indicates a medium to high severity, the potential impact of this flaw cannot be underestimated. Prompt action is essential to mitigate the risk of exploitation, protect sensitive data, and maintain overall system security.

Organizations should follow the outlined recommendations to address this vulnerability effectively. Staying current with software updates, applying recommended security practices, and maintaining vigilant monitoring are crucial steps in safeguarding against potential threats. By taking these proactive measures, users can help ensure their systems remain secure and resilient against cybersecurity challenges.

Mitigation and Recommendations

To mitigate the risks associated with CVE-2024-39717, Cyble recommends taking the following actions:

• Deploy advanced network traffic analysis tools to identify and respond to suspicious activities like unauthorized access, lateral movement, and data breaches.
• Require MFA for all users, with a focus on those accessing Versa Director servers, to safeguard against credential theft and unauthorized access.
• Regularly review and verify user credentials and enforce least-use privileges to ensure that only authorized individuals can access critical systems and sensitive data.
• Design and implement network segmentation strategies to prevent attackers from moving between critical and non-critical areas and thereby contain potential threats.
• Ensure that critical system backups are performed regularly, securely stored, and routinely tested for reliability to protect against data loss and system failures.

Related