[CDP-development] TLP:GREEN (Zero-Day Alert Notification) CVE-2024-39717 Versa Director Dangerous File Type Upload Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Aug 26 13:06:38 PDT 2024 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2024-39717: Versa Director Dangerous File Type Upload Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On August 26, 2024, Versa released a security bulletin where patched/remediated versions can be found for its Dangerous File Type Upload Vulnerability. CVE-2024-39717 was established as a CVE on August 22, 2024, and has been assigned a CVSSv3 rating of 7.2 (high).

The following products are affected:
Versa Director:

  *   21.2.3
  *   22.1.2
  *   22.1.3

Further information is available from Versa to obtain notes:

  *   Versa Security Bulletin -  https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/

Intelligence: As of August 23, 2024, Versa is aware that CVE-2024-39717 has been exploited in the wild.  It is very likely that the exploit will continue to be leveraged by threat actors over the coming months.

Workarounds:  There are no workarounds at this time.

How it works:  At the time of this writing, little public information exists about how the vulnerability is exploited.  The "Change Favicon" (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.

Post-Exploit: Upon successful exploitation of the vulnerability, an attacker could trigger browser crashes and execute arbitrary code in allocated memory.

To identify if the vulnerability has already been exploited, customers can inspect the /var/versa/vnms/web/custom_logo/ folder for any suspicious files having been uploaded. Running the command:  file -b -mime-type <.png file> should report the file type as "image/png".

As of August 26, 2024, no plugins are currently available in Tenable Security Center for the vulnerability.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  *   Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DAF7A5.AD9AAA70]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable, and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240826/98dec692/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240826/98dec692/attachment-0001.png>

More information about the CDP-development mailing list