Versa Director Flaw Leads to API Exploit, Affects SD-WAN Customers

Vulnerabilities in Versa Director are never a small matter, as the platform manages network configurations for Versa's SD-WAN software

A vulnerability in Versa Networks’ Versa Director, used by internet service providers (ISPs) and managed service providers (MSPs) to manage network configurations for Versa’s SD-WAN software, has been disclosed by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2024-45229, is rated 6.6 in severity and affects five versions of the software.

Organizations using vulnerable versions are advised to take immediate action to protect their networks by upgrading to a newer version. The advisory follows a high-severity vulnerability last month, CVE-2024-39717, which was used to attack downstream customers in a supply chain attack.

Cyble’s ODIN scanner currently shows 73 internet-exposed Versa Director instances, though it is not clear how many of them contain the latest vulnerability.

Versa Director Flaw Leads to API Exploit

Versa Director’s REST APIs are designed to facilitate automation and streamline operations through a unified interface, enabling IT teams to configure and monitor their network systems more efficiently. However, a flaw in the implementation of these APIs allows for improper input validation, Cyble threat intelligence researchers explained in a blog post.

The APIs in question are designed to not require authentication by default, making them accessible to anyone with network connectivity. An attacker could exploit this vulnerability by sending a specially crafted GET request to a Versa Director instance that is directly connected to the internet.

“For Versa Directors connected directly to the Internet, attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request,” Cyble said. “This could expose authentication tokens of currently logged-in users, which can then be used to access additional APIs on port 9183.”

While the exploit itself does not reveal user credentials, “the implications of token exposure could lead to broader security breaches.”

“The exposure of these tokens can allow attackers to access additional APIs,” Cyble said. “Such unauthorized access could facilitate broader security breaches, potentially impacting sensitive data and operational integrity.”

Versa suggests that a web application firewall (WAF) or API gateway could be used to protect internet-exposed Versa Director instances by blocking access to the URLs of the vulnerable APIs (/vnms/devicereg/device/* on ports 9182 and 9183 and /versa/vnms/devicereg/device/* on port 443).

Affected Versa Director Versions

The vulnerability affects multiple versions of Versa Director, specifically those released before Sept. 9, 2024. This includes versions 22.1.4, 22.1.3, and 22.1.2, as well as all versions of 22.1.1, 21.2.3, and 21.2.2.

Versions released on Sept. 12 and later contain a hot fix for the vulnerability.

The flaw primarily stems from APIs that, by design, do not require authentication. These include interfaces for logging in, displaying banners, and registering devices.

Cyble Recommendations

Cyble researchers recommend the following mitigations and best practices for protecting Versa Director instances: