Low exposure can still cause problems

A zero-day vulnerability in Versa Director servers is proof that a critical severity rating and thousands of exposures aren't needed to cause significant damage.

CVE-2024-39717, announced last week, has a CVSS rating of 7.2 (high) from the NIST National Vulnerability Database (NVD) and a rating of 6.6 (moderate) from HackerOne.

In addition, Cyble's ODIN vulnerability scanning platform found only 31 Versa Director instances exposed on the Internet, 16 of which were from the US

And here's the problem: Versa Director servers manage network configurations for Versa's SD-WAN software – which is commonly used by Internet service providers (ISPs) and managed service providers (MSPs), so even a single exposure could be a big deal.

For this reason, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Zero-day exploit for Versa Director “VersaMem”

Researchers at Lumens Black Lotus Labs discovered the exploit targeting ISPs, MSPs and IT companies back on June 12, 2024. The vulnerability was publicly disclosed on August 22 and affects all Versa Director versions prior to 22.1.4.

Researchers identified a custom web shell associated with the vulnerability, which they dubbed “VersaMem.” The web shell was used to intercept and collect credentials to gain access to downstream customers' networks as an authenticated user. VersaMem is also modular, allowing threat actors to load additional Java code that runs exclusively in memory.

Researchers identified “actor-controlled small office/home office (SOHO) devices exploiting this zero-day vulnerability” on four U.S. and one non-U.S. victims in the ISP, MSP, and IT sectors. The threat actors gained initial administrative access through an exposed Versa management port intended for high availability (HA) pairing of Director nodes, which resulted in the deployment of the VersaMem web shell.

The researchers attributed the attacks “with moderate certainty” to Chinese state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette.

VersaMem mitigation

Versa Director users are urged to upgrade to version 22.1.4 or later and follow additional instructions provided by the vendor, such as applying hardening techniques and firewall rules. The researchers have also published Indicators of Compromise (IoCs) on GitHub.

Other recommendations to reduce risk include:

• Block external/northbound access to ports 4566 and 4570 and ensure they are only open between the active and standby Versa Director nodes for HA pairing traffic.
• Updating Versa Director systems to version 22.1.4 or later, or applying a hotfix and other actions recommended by Versa.
• Looking for interactions with port 4566 on Versa Director servers from non-Versa node IPs.
• Search the Versa web root directory (recursively) for files with the .png extension that are not valid PNG files.
• Checking for newly created user accounts and other unusual activity.
• Verify user accounts, examine system/application/user logs, rotate credentials, analyze downstream customer accounts, and prioritize lateral movement attempts when IoCs are identified or ports 4566 or 4570 were exposed for any period of time.

In addition, cyber threat researchers recommended a number of additional steps:

• Implement robust network traffic monitoring to detect unusual activities such as lateral movement, unauthorized access or data exfiltration.
• To reduce the risk of credential theft, enforce MFA for all users, especially those with access to Versa Director servers.
• Conduct regular reviews of user credentials and permission levels to ensure that only authorized personnel have access to critical systems.
• Implement network segmentation to limit the ability of attackers to move laterally across networks, especially between critical infrastructure and less sensitive areas.
• Ensure that regular backups of critical systems and configurations are performed, securely stored, and tested for integrity.

Related