Analysis Summary

Based on proof of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Versa Director vulnerability to its list of Known Exploited Vulnerabilities (KEVs) catalog.

A file upload problem affecting the "Change Favicon" feature is the source of the medium-severity vulnerability, identified as CVE-2024-39717 (CVSS score: 6.6). This exploit could enable a threat actor to submit a malicious file by disguising it as a seemingly innocent PNG image file. With the ability to upload files with a harmful type vulnerability, administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin capabilities can freely alter the user interface of the Versa Director GUI.

Uploading a .PNG file is made possible by the 'Change Favicon' (Favorite Icon) feature, which may be used to upload a malicious file that appears to be an image but has a .PNG extension. However, a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin access must successfully authenticate and log in before an exploitation can be carried out.

Versa Networks is aware of one confirmed instance in which a client was targeted, according to a description of the vulnerability in the NIST National Vulnerability Database (NVD), even though the specific circumstances surrounding the exploitation of CVE-2024-39717 remain unclear. That customer did not follow the Firewall recommendations that were released in 2015 and 2017. The malicious actor was able to leverage this vulnerability without the need for the GUI as a result of this non-implementation.

By September 13, 2024, agencies under the Federal Civilian Executive Branch (FCEB) must implement vendor-provided remedies to mitigate the vulnerability. This development occurred just days after CISA updated its KEV catalog to include four security flaws from 2021 and 2022; CVE-2021-33044, CVE-2021-33045, CVE-2021-31196, and CVE-2022-0185.

Noteworthy is the fact that earlier in March, Google-owned Mandiant was implicated in the exploitation of CVE-2022-0185 by a threat actor with ties to China, nicknamed UNC5174 (also known as Uteus or Uetus). When CVE-2021-31196 was first made public, it was linked to a large collection of vulnerabilities in Microsoft Exchange Server that were collectively known as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.

Active exploitation campaigns targeting unpatched Microsoft Exchange Server machines have been detected to target CVE-2021-31196. Typically, the goals of these assaults are to elevate privileges, obtain unauthorized access to confidential data, or deliver additional payloads like malware or ransomware.

Impact

• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-39717

Remediation

• Refer to Versa Networks Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.