A recent zero-day vulnerability in Versa Director servers has raised concerns about the potential for significant damage even with a relatively low number of exposures. The vulnerability, known as CVE-2024-39717, has been given a high severity rating of 7.2 by the NIST National Vulnerability Database (NVD) and a medium rating of 6.6 by HackerOne.
According to Cyble’s ODIN vulnerability scanning platform, only 31 internet-exposed Versa Director instances were found, with 16 of them located in the U.S. This limited number of exposed instances highlights the potential impact that even a single vulnerable server could have, considering that Versa Director servers are crucial for managing network configurations used by internet service providers (ISPs) and managed service providers (MSPs).
The seriousness of the vulnerability has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability, dubbed “VersaMem,” was discovered by researchers from Lumen’s Black Lotus Labs, who identified a custom web shell associated with the exploit. This web shell, used to intercept and harvest credentials, allowed threat actors to gain access to downstream customers’ networks as authenticated users. The modular nature of VersaMem also enabled threat actors to load additional Java code to run exclusively in-memory.
The attacks exploiting this vulnerability were attributed with moderate confidence to China state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette. These threat actors targeted ISPs, MSPs, and IT companies, gaining initial administrative access through an exposed Versa management port.
To mitigate the risk posed by VersaMem, users are strongly advised to upgrade to version 22.1.4 or later and follow additional guidance provided by the vendor. Other recommended mitigation measures include applying hardening techniques and firewall rules, blocking external access to specific ports, and monitoring network traffic for unusual activities.
Additional steps recommended by Cyble threat researchers include implementing robust network traffic monitoring, enforcing multi-factor authentication (MFA) for all users, performing regular audits of user credentials, and implementing network segmentation to limit lateral movement by attackers.
Overall, the discovery of the Versa Director zero-day exploit serves as a reminder of the potential impacts that vulnerabilities can have, even with a relatively low number of exposures. Vigilance and proactive security measures are essential to protect critical systems and prevent unauthorized access and data exfiltration.