Latest vulnerability: CVE-2024-39717 #

On August 26, 2024, Versa Networks disclosed a vulnerability affecting the Versa Director platform. Versa Director is used to manage and deploy applications across the Versa VOS platform. This vulnerability allows privilege escalation for users that are able to upload files to the Director system. There is evidence that this vulnerability is being actively exploited in the wild, targeting managed service providers (MSPs) and internet service providers (ISPs).

This vulnerability has been designated CVE-2024-39717.  

There is evidence that advanced persistent threat (APT) actors associated with nation states are exploiting this vulnerability, particularly the "Volt Typhoon" espionage group associated with the Chinese government.

What is the impact? #

An attacker that is able to upload files to the Versa Director application can upload a malicious file. Uploading such a file can result in privilege escalation and allow code execution with administrator level privileges. There is evidence that this vulnerability is being actively exploited in the wild.

Are updates or workarounds available? #

Versa Networks has released updates that address this issue and users are encouraged to update as quickly as possible. Additionally, users are advised to avoid exposing the Versa Director administration interface to the public internet.

Users can check for indicators of compromise (IOCs) by examining files in the "/var/versa/vnms/web/custom_logo/" directory. Non-image files in this directory should be investigated.

How to find potentially vulnerable systems with runZero #

From the Service Inventory you can use the following query to locate Versa Director installations:

html.title:"Versa Director" OR http.head.server:"Versa Director"

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find Go SSH servers on your network
How to discover Go SSH instances on your network that may be vulnerable to CVE-2024-45337
Rapid Response
How to find Cleo Harmony, LexiCom, and VLTransfer installations on your network
Cleo Software has disclosed CVE-2024-50623 affecting installations of Cleo Harmony, VLTransfer, and LexiCom on your network. Here's how to find...
Rapid Response
How to find Cisco NX-OS assets on your network
Cisco has released an advisory for a vulnerability found within their NX-OS software. Here's how to find affected assets.
Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved