Versa Director Flaw Exposes Networks to API Exploits and Token Theft

• The CISA warned of a new Versa Director flaw, which appears in some cases with REST APIs with no authentication.
• Versa Director is used by ISPs and MSPs, and any exposed vulnerability could lead to a supply chain attack.
• The impacted versions include most of those released prior to this month.

A critical advisory on a newly discovered vulnerability in Versa Networks' Versa Director, identified as CVE-2024-45229, was issued by the Cybersecurity and Infrastructure Security Agency (CISA). 

The CVE-2024-45229 vulnerability has a 6.6 severity score and is primarily caused by improper input validation within certain REST APIs that do not require authentication by design. 

This flaw poses significant security risks due to its impact on network configurations managed by Versa’s SD-WAN software, widely deployed by internet service providers (ISPs) and managed service providers (MSPs).

This oversight potentially allows attackers to inject invalid arguments into GET requests, leading to the exposure of active users' authentication tokens. These exposed tokens can enable unauthorized access to additional APIs, jeopardizing sensitive data and the operational integrity of affected networks.

The vulnerability affects several versions of Versa Director, specifically those released prior to September 9, 2024. Impacted versions include: 22.1.4, 22.1.3, 22.1.2, all iterations of 22.1.1, 21.2.3, and 21.2.2.

Organizations utilizing susceptible versions of Versa Director are urged to upgrade to the latest version containing a hotfix released on September 12, 2024. In addition to upgrading, deploying a web application firewall (WAF) or an API gateway is recommended to restrict access to vulnerable APIs, particularly those on ports 9182, 9183, and 443.

This alert follows last month’s high-severity vulnerability (CVE-2024-39717), which facilitated attacks on downstream customers in a supply chain breach. Currently, Cyble found 73 internet-exposed instances of Versa Director, though the presence of the latest vulnerability in these instances remains undetermined.