Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Versa Director Dangerous File Type Upload Vulnerability (CVE-2024-39717) to its Known Exploited Vulnerabilities catalog, highlighting its potential risks. The vulnerability allows authenticated users to upload malicious files disguised as PNG images, with one confirmed exploitation due to inadequate firewall implementation.
Threat Actor: Unknown | unknown
Victim: Versa Networks | Versa Networks
Key Point :
- The vulnerability CVE-2024-39717 has a CVSS score of 6.6 and is linked to the “Change Favicon” feature in Versa Director’s GUI.
- Exploitation requires user authentication with specific privileges, but one case was reported where the attacker exploited the vulnerability without GUI access due to firewall guideline non-implementation.
- CISA mandates federal agencies to address this vulnerability by September 13, 2024, and encourages private organizations to review the vulnerabilities in the catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Versa Director Dangerous File Type Upload Vulnerability CVE-2024-39717 (CVSS score: 6.6) to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability CVE-2024-39717 resides in the “Change Favicon” feature in Versa Director’s GUI, it allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Although details are limited, Versa Networks confirmed one case where the vulnerability was exploited due to a customer’s failure to implement recommended firewall guidelines. This oversight allowed the attacker to exploit the vulnerability without needing to access the GUI.
” Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer.” reads the advisory. “This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by September 13, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)