Versa Director Flaw Could Lead to API Attacks, Token Theft

Vulnerabilities in Versa Director are never a small matter, as the platform manages network configurations for Versa’s SD-WAN software – which is often used by internet service providers (ISPs) and managed service providers (MSPs), so a single exposure has the potential for a big downstream effect.

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a vulnerability in Versa Networks’ Versa Director, identified as CVE-2024-45229. The 6.6-severity vulnerability stems from improper input validation and affects five versions of the software. Organizations using vulnerable versions containing the Versa Director flaw are urged to take immediate action to protect their networks by upgrading to a newer version.

The advisory follows a high-severity vulnerability last month – CVE-2024-39717 – which was used to attack downstream customers in a supply chain attack.

Cyble’s ODIN scanner presently shows 73 internet-exposed Versa Director instances, although it’s not clear how many of them contain the latest vulnerability.

Versa Director Flaw Leads to API Exploit

In a blog post on the new vulnerability, Cyble threat intelligence researchers noted that Versa Director’s REST APIs facilitate automation and streamline operations through a unified interface, allowing IT teams to configure and monitor their network systems more efficiently. The new vulnerability allows for improper input validation in certain APIs that do not require authentication by design, Cyble noted.

“For Versa Directors connected directly to the Internet, attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request,” Cyble said. “This could expose authentication tokens of currently logged-in users, which can then be used to access additional APIs on port 9183.”

While the exploit doesn’t reveal user credentials, “the implications of token exposure could lead to broader security breaches.”

“The exposure of these tokens can allow attackers to access additional APIs,” Cyble said. “Such unauthorized access could facilitate broader security breaches, potentially impacting sensitive data and operational integrity.”

A web application firewall (WAF) or API gateway could help protect internet-exposed Versa Director instance by blocking access to the URLs of vulnerable APIs (/vnms/devicereg/device/* on ports 9182 and 9183 and /versa/vnms/devicereg/device/* on port 443), Versa noted.

Affected Versa Director Versions

The vulnerability affects multiple versions of Versa Director, specifically those released before Sept. 9, 2024, including 22.1.4, 22.1.3, and 22.1.2, along with all versions of 22.1.1, 21.2.3, and 21.2.2.

Sept. 12 and newer versions contain a hot fix.

The flaw primarily stems from APIs that, by design, do not require authentication. These include interfaces for logging in, displaying banners, and registering devices.

Cyble Recommendations

Cyble researchers recommend a number of mitigations and best practices for protecting Versa Director instances.

• Implement the latest patches provided by Versa Networks immediately.
• Upgrade from version 22.1.1 to 22.1.3 and from 21.2.2 to 21.2.3 for comprehensive protection.
• Isolate critical systems through network segmentation to limit potential attack surfaces.
• Use web application firewalls (WAF) or API gateways to block access to vulnerable URLs.
• Use advanced Security Information and Event Management (SIEM) systems to detect unusual activities.
• Regularly review logs and alerts for real-time threat identification.
• Uncover weaknesses in the network infrastructure.
• Remediate vulnerabilities before malicious actors can exploit them.