Research Lab

Versa Security Bulletin:  Update on CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability 

Affected Platforms: Versa Director 

Impacted Users: Targeted at managed service providers 

Impact: Privilege Escalation  

Severity Level: High 

Overview 

• Versa Networks has established and published Firewall Requirements since 2015 and System Hardening requirements since 2017 

• A vulnerability was recently discovered in Versa Director (CVE-2024-39717). This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges.  

• Impacted customers had not implemented system hardening and firewall guidelines mentioned above, leaving a management port exposed on the internet that provided the threat actors with initial access. 

• Versa has released a patch for the vulnerability, and we are actively working with all customers to ensure the patch and system hardening guidelines are applied. 

Exploitation Status 

• This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.  

• Although the vulnerability is difficult to exploit, it’s rated “High” and affects all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines. 

• CISA has added this vulnerability to its “Known Exploited Vulnerabilities” list (CVE-2024-39717). 

Affected Systems and Versions 

Versa Director:   

Versions	Affected	Unaffected
22.1.4	None	All
22.1.3	22.1.3 images released before June 21, 2024 hot fix.	22.1.3 June 21, 2024 Hot Fix and later.
22.1.2	22.1.2 image released before June 21, 2024 hot fix.	22.1.2 June 21, 2024 Hot Fix and later.
22.1.1	All	None. Please upgrade to 22.1.3 latest version.
21.2.3	21.2.3 images released before June 21, 2024 hot fix.	21.2.3 June 21, 2024 and later.
21.2.2	All	None. Please upgrade to 21.2.3 latest version.

What should Versa customers do? 

• Apply hardening best practices

  Customers should ensure that they have followed recommended best practices for security hardening of Versa Director. Customers can access detailed system hardening and firewall rules guidelines here:

  • Firewall Guidelines:

    Firewall Requirements (since 2015): This document details the necessary ports and protocols that need to be opened on the appropriate interfaces.

  • System Hardening (since 2017)

    This document provides comprehensive steps for implementing the hardening process for all components of the Versa solution.

• Upgrade Director to one of the remediated versions

  Versa recommends that the Director software be upgraded as soon as possible to one of the remediated software versions (see Resources below).

• Check to see if the vulnerability has already been exploited

  To identify if the vulnerability has already been exploited, customers can inspect the /var/versa/vnms/web/custom_logo/ folder for any suspicious files having been uploaded. Running the command:  file -b –mime-type <.png file> should report the file type as “image/png”.  

If you are a Versa customer who needs assistance with patching, system hardening, or remediation, please contact Versa Technical Support.  

Resources 

Customers can access one of the patched/remediated versions of Versa Director from the following software download links:  

• 21.2.3: https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3  

• 22.1.2: https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2  

• 22.1.3: https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3  

• 22.1.4: Not affected. 

For additional information, please refer to the following resources: 

• Security Bulletin Advising Hardening

  Versa has sent out a security bulletin titled Security Bulletin: Advising The Review of Firewall Requirements for Versa Components to customers and partners on Friday, July 26, 2024. (Versa customer access only)

• Security Bulletin Advising Vulnerability

  Versa has notified customers and partners about the vulnerability in Security Bulletin: Advising Zero-Day Vulnerability In Versa Director that was sent out on Friday, August 9, 2024.  (Versa customer access only)

• CISA Known Exploited Vulnerability Catalog – 

  This CVE information is publicly available from CISA (Cybersecurity and Infrastructure Security Agency – part of the U.S. Department of Homeland Security), which curates a list of CVEs called the Known Exploited Vulnerabilities (KEV) catalog at CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability.

• Versa Security Portal

  Versa has updated the PSIRT section of the Versa Security Portal with CVE-2024-39717 to ensure that customers have one place to go for information and our most current information and remediation guidance. (Versa customer access only)

• Versa System Hardening Guidelines

  (available since 2017): This document provides comprehensive steps for implementing the hardening process for all components of the Versa solution. 

• Versa Firewall Requirements

  Firewall Requirements (available since 2015): This document details the necessary ports and protocols that need to be opened on the appropriate interfaces.

The bottom line: Versa is actively reaching out and working with our customers and partners to ensure their safety by applying patches and hardening their attack surfaces per guidelines.