cbcvebase.
CVE-2024-39717
published 2024-08-22

CVE-2024-39717: The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with…

PriorityP278high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-09-13
Exploited in the wild
EPSS
4.01%
89.3th percentile
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.

Affected

10 ranges
VendorProductVersion rangeFixed in
versa-networksversa_director
versa-networksversa_director
versa-networksversa_director
versa-networksversa_director
versa-networksversa_director
versadirector21.2.2 – 21.2.2
versadirector>= 21.2.3 before 2024-06-21 < 21.2.3 before 2024-06-2121.2.3 before 2024-06-21
versadirector22.1.1 – 22.1.1
versadirector22.1.2 before 2024-06-21 – 22.1.2 before 2024-06-21
versadirector22.1.3 before 2024-06-21 – 22.1.3 before 2024-06-21

Detection & IOCsextracted from sources · hover to see the quote

path/var/versa/vnms/web/custom_logo/
path/tmp/.temp.data
port4566
port4570
otherVersaMem webshell (Director_tomcat_memShell)
  • Look for short-duration TCP sessions to port 4566 from non-Versa (SOHO) IP addresses immediately followed by moderate-to-large HTTPS sessions to port 443 — this pattern is assessed as a likely signature of successful exploitation.
  • Inspect /var/versa/vnms/web/custom_logo/ for suspicious files (e.g. Java JARs masquerading as PNG images) as the webshell is planted via the Change Favicon upload feature.
  • Check /tmp/.temp.data for the presence of encrypted stolen credentials written by the VersaMem webshell.
  • Audit Versa Director for newly created accounts with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges, which threat actors created via the exposed HA port as a precursor to exploiting the file upload vulnerability.
  • The VersaMem webshell loads in-memory Java byte code executed within the Tomcat webserver process — hunt for anomalous in-memory class loading within Tomcat on Versa Director systems.
  • The VersaMem malware had 0 detections on VirusTotal at time of discovery and is designed specifically for Versa Directors — do not rely solely on AV/EDR for detection.
  • ·The vulnerability is only exploitable when the Versa Director HA management port (4566) is exposed to the internet; systems with proper firewall hardening in place were not exploitable via this attack chain.
  • ·Exploitation requires an account with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges; tenant-level users cannot exploit this vulnerability directly.
  • ·Threat actors exploited the exposed HA port (4566) using an NCS client to first create a privileged account, then used that account to upload the malicious webshell — blocking port 4566 from non-Versa nodes breaks the initial access chain.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.6MEDIUMCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.