The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has positioned a safety flaw impacting Versa Director to its Recognized Exploited Vulnerabilities (KEV) catalog based mostly on proof of energetic exploitation.
The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS rating: 6.6), is case of file add bug impacting the “Change Favicon” function that might permit a risk actor to add a malicious file by masquerading it as a seemingly innocent PNG picture file.
“The Versa Director GUI incorporates an unrestricted add of file with harmful sort vulnerability that permits directors with Supplier-Information-Heart-Admin or Supplier-Information-Heart-System-Admin privileges to customise the person interface,” CISA stated in an advisory.
“The ‘Change Favicon’ (Favourite Icon) permits the add of a .png file, which could be exploited to add a malicious file with a .PNG extension disguised as a picture.”
Nevertheless, a profitable exploitation is feasible solely after a person with Supplier-Information-Heart-Admin or Supplier-Information-Heart-System-Admin privileges has efficiently authenticated and logged in.
Whereas the precise circumstances surrounding the exploitation of CVE-2024-39717 is unclear, an outline of the vulnerability within the NIST Nationwide Vulnerability Database (NVD) states that Versa Networks is conscious of 1 confirmed occasion wherein a buyer was focused.
“The Firewall tips which had been printed in 2015 and 2017 weren’t applied by that buyer,” the outline states. “This non-implementation resulted within the dangerous actor with the ability to exploit this vulnerability with out utilizing the GUI.”
Federal Civilian Government Department (FCEB) companies are required to take steps to guard in opposition to the flaw by making use of vendor-provided fixes by September 13, 2024.
The event comes days after CISA added 4 safety shortcomings from 2021 and 2022 to its KEV catalog –
- CVE-2021-33044 (CVSS rating: 9.8) – Dahua IP Digital camera Authentication Bypass Vulnerability
- CVE-2021-33045 (CVSS rating: 9.8) – Dahua IP Digital camera Authentication Bypass Vulnerability
- CVE-2021-31196 (CVSS rating: 7.2) – Microsoft Change Server Info Disclosure Vulnerability
- CVE-2022-0185 (CVSS rating: 8.4) – Linux Kernel Heap-Based mostly Buffer Overflow Vulnerability
It is price noting {that a} China-linked risk actor codenamed UNC5174 (aka Uteus or Uetus) was attributed to the exploitation of CVE-2022-0185 by Google-owned Mandiant earlier this March.
CVE-2021-31196 was initially disclosed as a part of an enormous set of Microsoft Change Server vulnerabilities, collectively tracked as ProxyLogon, ProxyShell, ProxyToken, and ProxyOracle.
“CVE-2021-31196 has been noticed in energetic exploitation campaigns, the place risk actors goal unpatched Microsoft Change Server situations,” OP Innovate stated. “These assaults sometimes goal to realize unauthorized entry to delicate data, escalate privileges, or deploy additional payloads corresponding to ransomware or malware.”