CVE-2024-39717
Versa Director Dangerous File Type Upload Vulnerab - [Actively Exploited]
Description
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.
INFO
Published Date :
Aug. 22, 2024, 7:15 p.m.
Last Modified :
Aug. 28, 2024, 7:47 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
1.2
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Customers may download the update from the vendor at following link (note, a customer account is required): https://support.versa-networks.com/support/solutions/articles/23000026724-versa-director-ha-port-exploit-discovery-remediation
Public PoC/Exploit Available at Github
CVE-2024-39717 has a 1 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-39717.
| URL | Resource |
|---|---|
| https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/ | Vendor Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
cisa-kev vulnerability 0day cisa exploits
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-39717 vulnerability anywhere in the article.
-
Dark Reading
When Startup Founders Should Start Thinking About Cybersecurity
Source: Illia Uriadnikov via Alamy Stock PhotoIt was a tale of two startups."A company that I invested in — about, oh, five years ago — happened to be in the proptech [property technology] space," sai ... Read more
-
TheCyberThrone
CISA KEV Update Part II – September 2024.
The US CISA added below vulnerabilities to the Known Exploited Vulnerability Catalog based on the evidence of active exploitationCVE-2024-40766 SonicWall SonicOS contains an improper access control vu ... Read more
-
Cybersecurity News
Akira Ransomware Exploits SonicWall SSLVPN Flaw (CVE-2024-40766)
SonicWall has issued a warning: the recently patched critical access control vulnerability, tracked as CVE-2024-40766, is now actively exploited in the wild. The flaw, originally thought to impact onl ... Read more
-
Cybersecurity News
RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw
The data leak site for Underground ransomwareFortiGuard Labs found a new ransomware variant, Underground, that has been linked to the Russia-based RomCom group (also known as Storm-0978). This insidio ... Read more
-
Cybersecurity News
Google Patches Actively Exploited Zero-Day in September Android Update
Google’s September 2024 Android security patch addresses 36 vulnerabilities, one of which has already been exploited in active targeted attacks. The zero-day flaw, tracked as CVE-2024-32896 (CVSS scor ... Read more
-
Cybersecurity News
CVE-2024-8105: An UEFI Flaw Putting Millions of Devices at Risk
Image: Binarly REsearch TeamA significant vulnerability, CVE-2024-8105, dubbed PKfail, has surfaced within the UEFI ecosystem. With a CVSS score of 8.2, this flaw exposes critical UEFI security mechan ... Read more
-
The Cyber Express
Versa Director Zero-Day Attack: A Non-Critical Vulnerability with Low Exposure Can Still Be Trouble
A zero-day vulnerability in Versa Director servers is proof that a vulnerability doesn’t require a critical severity rating and thousands of exposures to do significant damage. CVE-2024-39717, announc ... Read more
-
The Register
Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
update It looks like China's Volt Typhoon has found a new way into American networks as Versa has disclosed a nation-state backed attacker has exploited a high-severity bug affecting all of its SD-WAN ... Read more
-
Help Net Security
Versa Director zero-day exploited to compromise ISPs, MSPs (CVE-2024-39717)
Advanced, persistent attackers have exploited a zero-day vulnerability (CVE-2024-39717) in Versa Director to compromise US-based managed service providers with a custom-made web shell dubbed VersaMem ... Read more
-
Cybersecurity News
Chinese Hackers Deploy VersaMem Web Shell via Versa Director Zero-Day (CVE-2024-39717)
Overview of the Versa Director exploitation process and the VersaMem web shell functionalityBlack Lotus Labs, a threat intelligence team within Lumen Technologies, has uncovered the active exploitatio ... Read more
-
security.nl
Providers besmet met malware die inloggegevens van klanten steelt
Internetproviders en managed serviceproviders zijn sinds juni het doelwit van aanvallen waarbij een kwetsbaarheid in Versa Director wordt gebruikt om malware te installeren waarmee inloggegevens van k ... Read more
-
krebsonsecurity.com
New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typho ... Read more
-
Ars Technica
Hackers infect ISPs with malware that steals customers’ credentials
"HIGHLY SIGNIFICANT" — Zero-day that was exploited since June to infect ISPs finally gets fixed. Getty Images Malicious hackers likely working on behalf of the Chinese government have been exploiti ... Read more
-
Dark Reading
China's Volt Typhoon Exploits Zero-Day in Versa's SD-WAN Director Servers
Source: Pixels Hunter via ShutterstockChina's notorious Volt Typhoon group has been actively exploiting a zero-day bug in Versa Networks' Director Servers, to intercept and harvest credentials to be u ... Read more
-
The Hacker News
Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors
The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Ve ... Read more
-
BleepingComputer
Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs
The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks. V ... Read more
-
BleepingComputer
Versa fixes Director zero-day vulnerability exploited in attacks
Versa Networks has fixed a zero-day vulnerability exploited in the wild that allows attackers to upload malicious files by exploiting an unrestricted file upload flaw in the Versa Director GUI. Versa ... Read more
-
TheCyberThrone
CISA adds Versa Networks Flaw CVE-2024-39717 to its KEV Catalog
The U.S. CISA has added CVE-2024-39717 to its Know exploited vulnerability catalog following the massive exploitation evidenceThis vulnerability CVE-2024-39717 affects Versa Networks’ Director GUI, sp ... Read more
-
TheCyberThrone
GitHub fixes several vulnerabilities including CVE-2024-6800
GitHub has addressed several vulnerabilities in GitHub Enterprise Server (GHES) that could have allowed attackers to gain unauthorized access and manipulate repositories.The most critical vulnerabilit ... Read more
-
The Hacker News
CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September
Vulnerability / Government Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) ca ... Read more
-
Cybersecurity News
CVE-2024-39717: Versa Networks Director GUI Flaw Under Active Attack, CISA Issues Urgent Patching Directive
In a recent cybersecurity alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the active exploitation of a severe vulnerability identified as CVE-2024-39717. This f ... Read more
-
Cybersecurity News
Microsoft Signals End of an Era: Control Panel to be Phased Out
After over a decade of speculation, Microsoft has officially confirmed that the traditional Control Panel, a cornerstone of Windows system management for nearly three decades, is set to be deprecated ... Read more
-
Cybersecurity News
CVE-2024-21689: RCE Vulnerability in Atlassian Bamboo Data Center and Server
Atlassian, a global leader in software development tools, has issued a security advisory for its Bamboo Data Center and Server products, highlighting a high-severity Remote Code Execution (RCE) vulner ... Read more
-
Cybersecurity News
CVE-2024-5932 (CVSS 10): Critical RCE Vulnerability Impacts 100k+ WordPress Sites
A critical security flaw (CVE-2024-5932) in the popular GiveWP WordPress plugin has left over 100,000 websites vulnerable to remote code execution and unauthorized file deletion. This vulnerability, s ... Read more
The following table lists the changes that have been made to the
CVE-2024-39717 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Aug. 28, 2024
Action Type Old Value New Value Changed Reference Type https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/ No Types Assigned https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/ Vendor Advisory -
CVE Modified by [email protected]
Aug. 27, 2024
Action Type Old Value New Value Changed Description The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in. Severity: HIGH Exploitation Status: Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer. This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI. In our testing (not exhaustive, as not all numerical versions of major browsers were tested) the malicious file does not get executed on the client. There are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date. The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in. Added Reference HackerOne https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/ [No types assigned] Removed Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000026724-versa-director-ha-port-exploit-discovery-remediation Removed Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3 Removed Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2 Removed Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3 -
Initial Analysis by [email protected]
Aug. 26, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3 No Types Assigned https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3 Permissions Required Changed Reference Type https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2 No Types Assigned https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2 Permissions Required Changed Reference Type https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3 No Types Assigned https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3 Permissions Required Changed Reference Type https://support.versa-networks.com/support/solutions/articles/23000026724-versa-director-ha-port-exploit-discovery-remediation No Types Assigned https://support.versa-networks.com/support/solutions/articles/23000026724-versa-director-ha-port-exploit-discovery-remediation Permissions Required Added CWE NIST CWE-434 Added CPE Configuration OR *cpe:2.3:a:versa-networks:versa_director:21.2.2:*:*:*:*:*:*:* *cpe:2.3:a:versa-networks:versa_director:21.2.3:*:*:*:*:*:*:* *cpe:2.3:a:versa-networks:versa_director:22.1.1:*:*:*:*:*:*:* *cpe:2.3:a:versa-networks:versa_director:22.1.2:*:*:*:*:*:*:* *cpe:2.3:a:versa-networks:versa_director:22.1.3:*:*:*:*:*:*:* -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Aug. 24, 2024
Action Type Old Value New Value Added Vulnerability Name Versa Director Dangerous File Type Upload Vulnerability Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Due Date 2024-09-13 Added Date Added 2024-08-23 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Aug. 23, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-434 -
CVE Received by [email protected]
Aug. 22, 2024
Action Type Old Value New Value Added Description The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in. Severity: HIGH Exploitation Status: Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer. This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI. In our testing (not exhaustive, as not all numerical versions of major browsers were tested) the malicious file does not get executed on the client. There are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date. Added Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000026724-versa-director-ha-port-exploit-discovery-remediation [No types assigned] Added Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3 [No types assigned] Added Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2 [No types assigned] Added Reference HackerOne https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3 [No types assigned] Added CVSS V3 HackerOne AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-39717 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-39717
weaknesses.