A zero-day vulnerability in Versa Director servers is proof that a vulnerability doesn’t require a critical severity rating and thousands of exposures to do significant damage.
CVE-2024-39717, announced last week, carries a 7.2 (high) CVSS rating from the NIST National Vulnerability Database (NVD) and a 6.6 (medium) rating from HackerOne.
What’s more, Cyble’s ODIN vulnerability scanning platform found just 31 internet-exposed Versa Director instances, 16 of which were from the U.S.
Here’s the problem: Versa Director servers manage network configurations for Versa’s SD-WAN software – which is often used by internet service providers (ISPs) and managed service providers (MSPs), so even a single exposure could be a big deal. And sure enough, this vulnerability was used to attack downstream customers in a supply chain attack.
As a result, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Versa Director ‘VersaMem’ Zero-Day Exploit
Researchers from Lumen’s Black Lotus Labs discovered the exploit targeting ISPs, MSPs and IT companies as early as June 12, 2024. The vulnerability was publicly announced on Aug. 22 and affects all Versa Director versions prior to 22.1.4.
The researchers identified a custom web shell tied to the vulnerability, which they dubbed “VersaMem.” The web shell was used to intercept and harvest credentials to gain access into downstream customers’ networks as an authenticated user. VersaMem is also modular in nature and allows the threat actors to load additional Java code to run exclusively in-memory.
The researchers identified “actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability” at four U.S. and one non-U.S. victims in the ISP, MSP and IT space. The threat actors gained initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which led to the deployment of the VersaMem web shell.
The researchers attributed the attacks “with moderate confidence” to the China state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette.
VersaMem Mitigations
Versa Director users are urged to upgrade to version 22.1.4 or later and to follow additional guidance from the vendor, such as applying hardening techniques and firewall rules. The researchers also posted Indicators of Compromise (IoCs) on GitHub.
Additional mitigation recommendations include:
- Blocking external/northbound access to ports 4566 and 4570 and ensuring that they are only open between the active and standby Versa Director nodes for HA-pairing traffic.
- Updating Versa Director systems to version 22.1.4 or later, or applying a hotfix and other measures advised by Versa.
- Searching for interactions with port 4566 on Versa Director servers from non-Versa node IPs.
- Searching the Versa webroot directory (recursively) for files ending with a .png extension that are not valid PNG files.
- Checking for newly created user accounts and other abnormal activity.
- Auditing user accounts, reviewing system/application/user logs, rotating credentials, analyzing downstream customer accounts and triaging lateral movement attempts if any IoCs are identified or if ports 4566 or 4570 were exposed for any period of time.
Cyble threat researchers also recommended a number of additional steps:
- Implement robust network traffic monitoring to detect unusual activities, such as lateral movement, unauthorized access, or data exfiltration.
- Enforce MFA for all users, especially those with access to Versa Director servers, to mitigate the risk of credential hijacking.
- Perform regular audits of user credentials and privilege levels to ensure that only authorized personnel have access to critical systems.
- Implement network segmentation to limit attackers’ ability to move laterally across networks, particularly between critical infrastructure and less sensitive areas.
- Ensure that regular backups of critical systems and configurations are performed, stored securely, and tested for integrity.
