The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has positioned a safety flaw impacting Versa Director to its Recognized Exploited Vulnerabilities (KEV) catalog primarily based on proof of lively exploitation.
The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS rating: 6.6), is case of file add bug impacting the “Change Favicon” characteristic that would enable a risk actor to add a malicious file by masquerading it as a seemingly innocent PNG picture file.
“The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface,” CISA stated in an advisory.
“The ‘Change Favicon’ (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .PNG extension disguised as an image.”
Nonetheless, a profitable exploitation is feasible solely after a consumer with Supplier-Information-Middle-Admin or Supplier-Information-Middle-System-Admin privileges has efficiently authenticated and logged in.
Whereas the precise circumstances surrounding the exploitation of CVE-2024-39717 is unclear, an outline of the vulnerability within the NIST Nationwide Vulnerability Database (NVD) states that Versa Networks is conscious of 1 confirmed occasion through which a buyer was focused.
“The Firewall guidelines which were published in 2015 and 2017 were not implemented by that customer,” the outline states. “This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI.”
Federal Civilian Govt Department (FCEB) businesses are required to take steps to guard towards the flaw by making use of vendor-provided fixes by September 13, 2024.
The event comes days after CISA added 4 safety shortcomings from 2021 and 2022 to its KEV catalog –
- CVE-2021-33044 (CVSS rating: 9.8) – Dahua IP Digicam Authentication Bypass Vulnerability
- CVE-2021-33045 (CVSS rating: 9.8) – Dahua IP Digicam Authentication Bypass Vulnerability
- CVE-2021-31196 (CVSS rating: 7.2) – Microsoft Alternate Server Info Disclosure Vulnerability
- CVE-2022-0185 (CVSS rating: 8.4) – Linux Kernel Heap-Based mostly Buffer Overflow Vulnerability
It is price noting {that a} China-linked risk actor codenamed UNC5174 (aka Uteus or Uetus) was attributed to the exploitation of CVE-2022-0185 by Google-owned Mandiant earlier this March.
CVE-2021-31196 was initially disclosed as a part of an enormous set of Microsoft Alternate Server vulnerabilities, collectively tracked as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.
“CVE-2021-31196 has been observed in active exploitation campaigns, where threat actors target unpatched Microsoft Exchange Server instances,” OP Innovate stated. “These attacks typically aim to gain unauthorized access to sensitive information, escalate privileges, or deploy further payloads such as ransomware or malware.”
