CVE-2024-39717
published 2024-08-22CVE-2024-39717: The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with…
PriorityP278high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-09-13
Exploited in the wild
EPSS
4.01%
89.3th percentile
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| versa-networks | versa_director | — | — |
| versa-networks | versa_director | — | — |
| versa-networks | versa_director | — | — |
| versa-networks | versa_director | — | — |
| versa-networks | versa_director | — | — |
| versa | director | 21.2.2 – 21.2.2 | — |
| versa | director | >= 21.2.3 before 2024-06-21 < 21.2.3 before 2024-06-21 | 21.2.3 before 2024-06-21 |
| versa | director | 22.1.1 – 22.1.1 | — |
| versa | director | 22.1.2 before 2024-06-21 – 22.1.2 before 2024-06-21 | — |
| versa | director | 22.1.3 before 2024-06-21 – 22.1.3 before 2024-06-21 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for short-duration TCP sessions to port 4566 from non-Versa (SOHO) IP addresses immediately followed by moderate-to-large HTTPS sessions to port 443 — this pattern is assessed as a likely signature of successful exploitation. ↗
- →Inspect /var/versa/vnms/web/custom_logo/ for suspicious files (e.g. Java JARs masquerading as PNG images) as the webshell is planted via the Change Favicon upload feature. ↗
- →Check /tmp/.temp.data for the presence of encrypted stolen credentials written by the VersaMem webshell. ↗
- →Audit Versa Director for newly created accounts with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges, which threat actors created via the exposed HA port as a precursor to exploiting the file upload vulnerability. ↗
- →The VersaMem webshell loads in-memory Java byte code executed within the Tomcat webserver process — hunt for anomalous in-memory class loading within Tomcat on Versa Director systems. ↗
- →The VersaMem malware had 0 detections on VirusTotal at time of discovery and is designed specifically for Versa Directors — do not rely solely on AV/EDR for detection. ↗
- ·The vulnerability is only exploitable when the Versa Director HA management port (4566) is exposed to the internet; systems with proper firewall hardening in place were not exploitable via this attack chain. ↗
- ·Exploitation requires an account with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges; tenant-level users cannot exploit this vulnerability directly. ↗
- ·Threat actors exploited the exposed HA port (4566) using an NCS client to first create a privileged account, then used that account to upload the malicious webshell — blocking port 4566 from non-Versa nodes breaks the initial access chain. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.6MEDIUMCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7v24-gjqv-fwg7: The Versa Director GUI provides an option to customize the look and feel of the user interface
ghsa_unreviewed·2024-08-22
CVE-2024-39717 [MEDIUM] CWE-434 GHSA-7v24-gjqv-fwg7: The Versa Director GUI provides an option to customize the look and feel of the user interface
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.
Severity: HIGH
Exploitation Status:
Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that c
VulnCheck
Versa Director Dangerous File Type Upload Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-39717 [HIGH] CWE-434 Versa Director Dangerous File Type Upload Vulnerability
Versa Director Dangerous File Type Upload Vulnerability
The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.
Affected: Versa Director
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-3
CISA
Versa Director Dangerous File Type Upload Vulnerability
cisa·2024-08-23·CVSS 7.2
CVE-2024-39717 [HIGH] CWE-434 Versa Director Dangerous File Type Upload Vulnerability
Vulnerability: Versa Director Dangerous File Type Upload Vulnerability
Affected: Versa Director
The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/; https://nvd.nist.gov/vuln/
No detection rules found.
No public exploits indexed.
Tenable
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
blogs_tenable·2024-11-19
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
blogs_krebs·2024-08-27·CVSS 7.2
[HIGH] New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
Malicious hackers are exploiting a zero-day vulnerability in Versa Director , a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon , a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.
Image: Shutterstock.com
Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability ( CVE-2024-39717 ), which the co
Bleepingcomputer
Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs
blogs_bleepingcomputer·2024-08-27·CVSS 7.2
CVE-2024-39717 [HIGH] Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs
## Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs
## Lawrence Abrams
The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks.
Versa Director is a management platform ISPs and MSPs use to manage virtual WAN connections created using SD-WAN services.
The vulnerability is tracked as CVE-2024-39717 and resides in a feature allowing admins to upload custom icons to customize the Versa Director GUI. However, the flaw allowed threat actors with administrator privileges to upload malicious Java files disguised as PNG images, which can then be executed remotely.
In an advisory published yesterday , Versa says that Director ver
Krebs
New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
blogs_krebs·2024-08-27·CVSS 7.2
[HIGH] New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.
Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is fixed in Versa
Bleepingcomputer
Versa fixes Director zero-day vulnerability exploited in attacks
blogs_bleepingcomputer·2024-08-26·CVSS 7.2
CVE-2024-39717 [HIGH] Versa fixes Director zero-day vulnerability exploited in attacks
## Versa fixes Director zero-day vulnerability exploited in attacks
## Sergiu Gatlan
Versa Networks has fixed a zero-day vulnerability exploited in the wild that allows attackers to upload malicious files by exploiting an unrestricted file upload flaw in the Versa Director GUI.
Versa Director is a platform designed to help Internet Service Providers (ISPs) and Managed Service Providers (MSPs) to manage software-defined wide area networks (SD-WANs).
The flaw (CVE-2024-39717), tagged by Versa as a high-severity vulnerability in the software's "Change Favicon" feature, allows threat actors with administrator privileges to upload malicious files camouflaged as PNG images.
"This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Pro
Greynoiseio
Storm⚡️Watch
blogs_greynoiseio
Storm⚡️Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Threat Intel
Volt Typhoon (Volt Typhoon, BRONZE SILHOUETTE, Vanguard Panda)
threat_intel·CVSS 7.2
[HIGH] Volt Typhoon (Volt Typhoon, BRONZE SILHOUETTE, Vanguard Panda)
# Threat Actor Profile: Volt Typhoon
ATT&CK ID: G1017
Also known as: Volt Typhoon, BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus
Suspected origin: China
## Overview
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-0
ATT&CK
Versa Director Zero Day Exploitation
mitre_attack·CVSS 7.2
CVE-2024-39717 [HIGH] Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation
[Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) was conducted by [Volt Typhoon](https://attack.mitre.org/groups/G1017) from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) was followed by the delivery of the [VersaMem](https://attack.mitre.org/software/S1154) web shell for both credential theft an
2024-08-22
Published
2024-08-23
Added to CISA KEV
Exploited in the wild