CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September

August 24, 2024

SecurityVulnerabilityCybersecurityCVECISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.

The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS score: 6.6), is case of file upload bug impacting the "Change Favicon" feature that could allow a threat actor to upload a malicious file by masquerading it as a seemingly harmless PNG image file.

"The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface," CISA said in an advisory.

"The 'Change Favicon' (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .PNG extension disguised as an image."

However, a successful exploitation is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges has successfully authenticated and logged in.

While the exact circumstances surrounding the exploitation of CVE-2024-39717 is unclear, a description of the vulnerability in the NIST National Vulnerability Database (NVD) states that Versa Networks is aware of one confirmed instance in which a customer was targeted.

"The Firewall guidelines which were published in 2015 and 2017 were not implemented by that customer," the description states. "This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI."

Federal Civilian Executive Branch (FCEB) agencies are required to take steps to protect against the flaw by applying vendor-provided fixes by September 13, 2024.

The development comes days after CISA added four security shortcomings from 2021 and 2022 to its KEV catalog -

CVE-2021-33044 (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability
CVE-2021-33045 (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability
CVE-2021-31196 (CVSS score: 7.2) - Microsoft Exchange Server Information Disclosure Vulnerability
CVE-2022-0185 (CVSS score: 8.4) - Linux Kernel Heap-Based Buffer Overflow Vulnerability

It's worth noting that a China-linked threat actor codenamed UNC5174 (aka Uteus or Uetus) was attributed to the exploitation of CVE-2022-0185 by Google-owned Mandiant earlier this March.

CVE-2021-31196 was originally disclosed as part of a huge set of Microsoft Exchange Server vulnerabilities, collectively tracked as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.

"CVE-2021-31196 has been observed in active exploitation campaigns, where threat actors target unpatched Microsoft Exchange Server instances," OP Innovate said. "These attacks typically aim to gain unauthorized access to sensitive information, escalate privileges, or deploy further payloads such as ransomware or malware."