The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has positioned a safety flaw impacting Versa Director to its Identified Exploited Vulnerabilities (KEV) catalog in keeping with proof of energetic exploitation.
The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS rating: 6.6), is case of record add worm impacting the “Exchange Favicon” characteristic that would permit a risk actor to add a malicious record by means of masquerading it as a apparently innocuous PNG symbol record.
“The Versa Director GUI accommodates an unrestricted add of record with bad kind vulnerability that permits directors with Supplier-Information-Middle-Admin or Supplier-Information-Middle-Device-Admin privileges to customise the consumer interface,” CISA stated in an advisory.
“The ‘Exchange Favicon’ (Favourite Icon) allows the add of a .png record, which will also be exploited to add a malicious record with a .PNG extension disguised as a picture.”
Alternatively, a a hit exploitation is conceivable handiest after a consumer with Supplier-Information-Middle-Admin or Supplier-Information-Middle-Device-Admin privileges has effectively authenticated and logged in.
Whilst the precise instances surrounding the exploitation of CVE-2024-39717 is unclear, an outline of the vulnerability within the NIST Nationwide Vulnerability Database (NVD) states that Versa Networks is conscious about one showed example through which a buyer used to be centered.
“The Firewall pointers that have been printed in 2015 and 2017 weren’t carried out by means of that buyer,” the outline states. “This non-implementation resulted within the unhealthy actor with the ability to exploit this vulnerability with out the use of the GUI.”
Federal Civilian Government Department (FCEB) businesses are required to take steps to give protection to towards the flaw by means of making use of vendor-provided fixes by means of September 13, 2024.
The advance comes days after CISA added 4 safety shortcomings from 2021 and 2022 to its KEV catalog –
- CVE-2021-33044 (CVSS rating: 9.8) – Dahua IP Digital camera Authentication Bypass Vulnerability
- CVE-2021-33045 (CVSS rating: 9.8) – Dahua IP Digital camera Authentication Bypass Vulnerability
- CVE-2021-31196 (CVSS rating: 7.2) – Microsoft Trade Server Data Disclosure Vulnerability
- CVE-2022-0185 (CVSS rating: 8.4) – Linux Kernel Heap-Primarily based Buffer Overflow Vulnerability
It is price noting {that a} China-linked risk actor codenamed UNC5174 (aka Uteus or Uetus) used to be attributed to the exploitation of CVE-2022-0185 by means of Google-owned Mandiant previous this March.
CVE-2021-31196 used to be in the beginning disclosed as a part of an enormous set of Microsoft Trade Server vulnerabilities, jointly tracked as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.
“CVE-2021-31196 has been seen in energetic exploitation campaigns, the place risk actors goal unpatched Microsoft Trade Server cases,” OP Innovate stated. “Those assaults in most cases purpose to realize unauthorized get admission to to delicate knowledge, escalate privileges, or deploy additional payloads comparable to ransomware or malware.”