August 27, 2024 Advisory: Versa Director Dangerous File Type Upload Vulnerability [CVE-2024-39717]

Date of Disclosure: August 22, 2024

CVE-ID and CVSS Score: CVE-2024-39717: CVSS 7.2 High (assigned by NIST) and CVSS 6.6 Medium (assigned by HackerOne)

Issue Name and Description: Versa Director Dangerous File Type Upload Vulnerability

Asset Description:

• Versa Director is a centralized management interface that helps organizations control and monitor their network infrastructure, particularly for software-defined wide area networks (SD-WANs). It’s commonly used by ISPs and MSPs to configure, deploy, and oversee network resources across multiple locations.
• This vulnerability affects Versa Director versions 21.2.3, 22.1.2, and 22.1.3

Vulnerability Impact: An authenticated user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges could exploit the “Change Favicon” feature in the Versa Director GUI to upload a malicious .png file. However, due to the high level of privileges required and the details outlined in Versa’s advisory, this vulnerability is considered relatively difficult to exploit successfully. Furthermore, the NVD listing notes that in testing (though not exhaustive), the malicious file did not execute on the client, and reports from third-party backbone telemetry remain unconfirmed.

Exploitation Details:

This vulnerability was added to the CISA KEV catalog on Friday, August 23. Black Lotus Labs has linked the exploitation of this vulnerability to the Chinese state-sponsored group Volt Typhoon, attributing it “with moderate confidence” based on observed tactics and techniques.

They reported that the group has been using a custom web shell (dubbed “VersaMem”) to exploit this vulnerability, primarily targeting unpatched Versa Director systems, with attempts dating back to June 12, 2024. The ongoing attacks have reportedly affected several victims in the ISP, MSP, and IT sectors. At the time of writing, no other threat actors have been known to be targeting this.

Patch Availability: Versa has released patches to address these vulnerabilities at the following links:

• 21.2.3: https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3

• 22.1.2: https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2

• 22.1.3: https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3

All instances should be updated immediately to the latest patched version. In addition, Black Lotus has published a list of IoCs associated with this vulnerability.

Censys Perspective:

At the time of writing, Censys observed 163 exposed devices online.

To identify potentially all Versa Director instances (versions cannot be detected), the following Censys queries can be used:

• Censys Search Query: services.software: (vendor: Versa and product: Director)
• Censys ASM query: host.services.software: (vendor: Versa and product: Director) or web_entity.instances.software: (vendor: Versa and product: Director)

It’s recommended to segment these devices in a protected network so they’re not exposing ports to the public internet.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-39717
• https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-exploited-vulnerability-catalog-versa-networks-director
• https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/