{"id":167534,"date":"2024-08-25T07:11:05","date_gmt":"2024-08-25T07:11:05","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=167534"},"modified":"2024-08-25T07:12:39","modified_gmt":"2024-08-25T07:12:39","slug":"cisa-adds-versa-director-bug-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/167534\/hacking\/cisa-adds-versa-director-bug-known-exploited-vulnerabilities-catalog.html","title":{"rendered":"U.S. CISA adds Versa Director bug to its Known Exploited Vulnerabilities catalog"},"content":{"rendered":"
<\/div>\n

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Versa Director bug to its Known Exploited Vulnerabilities catalog.<\/h2>\n\n\n\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added<\/a>\u00a0Versa Director Dangerous File Type Upload Vulnerability CVE-2024-39717<\/a> (CVSS score: 6.6) to its Known Exploited Vulnerabilities (KEV) catalog<\/a>.<\/p>\n\n\n\n

The vulnerability CVE-2024-39717 resides in the “Change Favicon” feature in Versa Director’s GUI, it allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Although details are limited, Versa Networks confirmed one case where the vulnerability was exploited due to a customer’s failure to implement recommended firewall guidelines. This oversight allowed the attacker to exploit the vulnerability without needing to access the GUI.<\/gwmw><\/gwmw><\/p>\n\n\n\n

”\u00a0Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer.” reads the advisory<\/a>. “This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI.”<\/em><\/p>\n\n\n\n

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities<\/a>, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.<\/gwmw><\/gwmw><\/p>\n\n\n\n

Experts also recommend private organizations review the Catalog<\/a> and address the vulnerabilities in their infrastructure.<\/p>\n\n\n\n

CISA orders federal agencies to fix this vulnerability by\u00a0September 13, 2024.<\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/gwmw><\/gwmw><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0CISA<\/a>)<\/strong><\/gwmw><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Versa Director bug to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added\u00a0Versa Director Dangerous File Type Upload Vulnerability CVE-2024-39717 (CVSS score: 6.6) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability CVE-2024-39717 resides in the “Change Favicon” feature in Versa Director’s GUI, […]<\/p>\n","protected":false},"author":1,"featured_media":106349,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5,55],"tags":[8913,4112,9508,9506,10918,12584,687,841,1533,15308],"class_list":["post-167534","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-security","tag-cisa","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-known-exploited-vulnerabilities-catalog","tag-pierluigi-paganini","tag-security-affairs","tag-security-news","tag-versa-director"],"yoast_head":"\n杭州江阴科强工业胶带有限公司