Risk:
| high |
Damage: |
|
Platform(s): |
Web Servers |
Advisory ID: |
|
Version: |
|
CVE: |
|
Published: |
|
Summary
ngCERT is aware of a critical zero-day vulnerability affecting all Versa Director, a widely used network management platform. The vulnerability is an Advanced Persistent Threat (APT) linked to the Volt Typhoon Hacking Group (VTHG), it enables unauthorized users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to potentially upload malicious files which could lead to privilege escalation and remote code execution.
Exposed management ports leave individuals and organizations vulnerable to unauthorized access, data breaches, and network attacks. This can result in significant loss of sensitive information, financial damage, and compromised system integrity.
Individuals and organizations using Versa Director software should promptly take steps to mitigate this exploitation.
Description & Consequence
The CVE-2024-39717 vulnerability in Versa Director, a software-defined networking management tool, was exploited through a well-orchestrated attack chain that leverages specific weaknesses in the software’s file upload and authentication mechanism. Using a spear-phishing campaign and other identified vulnerabilities, a threat actor could gain limited access to systems connected to Versa Director.
Thereafter, the attacker would leverage compromised credentials or exploit misconfigured user permissions to achieve administrative access to upload malicious files typically disguised as legitimate content like .png files in /var/versa/vnms/web/custom_logo/ directory. The uploaded files are activated to execute commands, giving attackers control over the Versa Director server. It also allows attackers to escalate privileges, establish persistence, and gain control of connected systems through ports 4566 and 4570. Sensitive data is then harvested and exfiltrated to a command-and-control Centre while evading detection. The versions affected include:
- Versa Director 22.1.3 images released before June 21, 2024 hot fix.
- Versa Director 22.1.2 image released before June 21, 2024 hot fix.
- All Versa Director 22.1.1.
- Versa Director 21.2.3 images released before June 21, 2024 hot fix.
- All Versa Director 22.2.2.
Exploitation of a vulnerability in Versa Director SD may lead to:
- System Compromise.
- Denial of Service (DoS).
- Malicious Script Injection.
- Reputational Damage.
- Financial Loss.
- Data Breach.
- Credential Theft.
- Malware Injection and Propagation.
Solution
The following categorized remedies are recommended for organizations to mitigate this vulnerability:
a. Follow hardening best practices: Users should adhere to security hardening and firewall rules for Versa Director using the provided links:
(1) https://docs.versa-networks.com/Solutions/System_Hardening
(2) https://security-portal.versa-networks.com/psirt/emailbulletins
(3) https://docs.versa-networks.com/Getting_Started/Deployment_and_Initial_Configuration/Deployment_Basics/Firewall_Requirements
b. Upgrade Director to remediated versions: The Director software should be upgraded promptly to one of the remediated versions available at https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/.
c. Check for vulnerability exploitation: Inspect the /var/versa/vnms/web/custom_logo/ folder for any suspicious files possibly uploaded due to vulnerability exploitation. Run the command: file -b –mime-type <.png file> to report the file type as “image/png”.
d. Strengthen access controls and restrict network exposure of Versa Director servers.
Reference
Revision
