The US Cybersecurity and Infrastructure Security Agency (CISA) has placed security flaw that affects Versa Director before its known exploited vulnerabilities (KEV) catalog based on evidence of active operation.
A medium-severity vulnerability that is tracked as CVE-2024-39717 (CVSS Score: 6.6), is a case of a file upload bug that affects the “Change Favicon Icon” feature, which could allow a threat actor to download a malicious file by masquerading as a seemingly harmless PNG image file.
“The Versa Director GUI contains an unlimited download of a file with an unsafe type of vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface,” the CISA advisory said.
“Changing the Favivor icon (selected icon) allows the download of a .png file that can be used to download a malicious .PNG file disguised as an image.”
However, successful operation is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin rights has successfully authenticated and logged in.
While the exact circumstances surrounding the use of CVE-2024-39717 are unclear, the description of the vulnerability in the NIST National Vulnerability Database (NVD) states that Versa Networks is aware of one confirmed case of a client attack.
“Firewall recommendations published in 2015 and 2017 were not met by this client,” the description reads. “This failure resulted in an attacker being able to exploit this vulnerability without using a GUI.”
Federal Civil Enforcement Agency (FCEB) agencies must take steps to protect against the flaw by applying vendor-provided fixes by September 13, 2024.
The development comes days after CISA added four security flaws from 2021 and 2022 in his KEV catalog –
- CVE-2021-33044 (CVSS Score: 9.8) – Dahua IP Camera Authentication Bypass Vulnerability
- CVE-2021-33045 (CVSS Score: 9.8) – Dahua IP Camera Authentication Bypass Vulnerability
- CVE-2021-31196 (CVSS Score: 7.2) – Microsoft Exchange Server Information Disclosure Vulnerability
- CVE-2022-0185 (CVSS Score: 8.4) – Linux kernel heap-based buffer overflow vulnerability
It should be noted that the China-linked threat codenamed UNC5174 (aka Uteus or Uetus) was attributed to before exploiting CVE-2022-0185 by Google-owned Mandiant earlier this March.
CVE-2021-31196 was initially opened as part of a huge suite of Microsoft Exchange Server vulnerabilities that are collectively tracked as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.
“CVE-2021-31196 was observed in active exploitation campaigns where threat actors targeted unpatched instances of Microsoft Exchange Server,” — OP Innovate said. “These attacks typically aim to gain unauthorized access to sensitive information, elevate privileges, or deploy additional payloads such as ransomware or malware.”
