Versa Director 缺陷導致 API 被利用，影響 SD-WAN 客戶

Versa Director 的漏洞絕非小事，因為該平台管理 Versa SD-WAN 軟體的網路配置

A vulnerability in Versa Networks’ Versa Director, used by internet service providers (ISPs) and managed service providers (MSPs) to manage network configurations for Versa’s SD-WAN software, has been disclosed by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2024-45229, is rated 6.6 in severity and affects five versions of the software.

網路安全與基礎設施安全局 (CISA) 揭露了 Versa Networks Versa Director 中的一個漏洞，網路服務供應商 (ISP) 和託管服務供應商 (MSP) 使用該軟體來管理 Versa SD-WAN 軟體的網路配置。此漏洞的編號為 CVE-2024-45229，嚴重程度為 6.6，影響該軟體的五個版本。

Organizations using vulnerable versions are advised to take immediate action to protect their networks by upgrading to a newer version. The advisory follows a high-severity vulnerability last month, CVE-2024-39717, which was used to attack downstream customers in a supply chain attack.

建議使用易受攻擊版本的組織立即採取行動，透過升級到新版本來保護其網路。該通報是在上個月出現一個高嚴重性漏洞 CVE-2024-39717 後發布的，該漏洞被用來在供應鏈攻擊中攻擊下游客戶。

Cyble’s ODIN scanner currently shows 73 internet-exposed Versa Director instances, though it is not clear how many of them contain the latest vulnerability.

Cyble 的 ODIN 掃描器目前顯示了 73 個暴露在網路上的 Versa Director 實例，但尚不清楚其中有多少包含最新漏洞。

Versa Director Flaw Leads to API Exploit

Versa Director 缺陷導致 API 被利用

Versa Director’s REST APIs are designed to facilitate automation and streamline operations through a unified interface, enabling IT teams to configure and monitor their network systems more efficiently. However, a flaw in the implementation of these APIs allows for improper input validation, Cyble threat intelligence researchers explained in a blog post.

Versa Director 的 REST API 旨在透過統一的介面促進自動化和簡化操作，使 IT 團隊能夠更有效地配置和監控其網路系統。然而，Cyble 威脅情報研究人員在部落格文章中解釋說，這些 API 的實作中存在缺陷，導致輸入驗證不當。

The APIs in question are designed to not require authentication by default, making them accessible to anyone with network connectivity. An attacker could exploit this vulnerability by sending a specially crafted GET request to a Versa Director instance that is directly connected to the internet.

這些 API 的設計預設不需要身份驗證，任何有網路連線的人都可以存取它們。攻擊者可以透過向直接連接到網際網路的 Versa Director 執行個體發送特製的 GET 請求來利用此漏洞。

“For Versa Directors connected directly to the Internet, attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request,” Cyble said. “This could expose authentication tokens of currently logged-in users, which can then be used to access additional APIs on port 9183.”

Cyble 表示：“對於直接連接到互聯網的 Versa 控制器，攻擊者可能會透過向 GET 請求中註入無效參數來利用此漏洞。” “這可能會暴露當前登入使用者的身份驗證令牌，然後可以使用該令牌存取連接埠 9183 上的其他 API。”

While the exploit itself does not reveal user credentials, “the implications of token exposure could lead to broader security breaches.”

雖然該漏洞本身不會洩露用戶憑證，但“令牌暴露的影響可能會導致更廣泛的安全漏洞。”

“The exposure of these tokens can allow attackers to access additional APIs,” Cyble said. “Such unauthorized access could facilitate broader security breaches, potentially impacting sensitive data and operational integrity.”

Cyble 表示：“這些代幣的暴露可以讓攻擊者存取其他 API。” “這種未經授權的存取可能會導致更廣泛的安全漏洞，可能會影響敏感資料和操作完整性。”

Versa suggests that a web application firewall (WAF) or API gateway could be used to protect internet-exposed Versa Director instances by blocking access to the URLs of the vulnerable APIs (/vnms/devicereg/device/* on ports 9182 and 9183 and /versa/vnms/devicereg/device/* on port 443).

Versa 建議使用 Web 應用程式防火牆 (WAF) 或 API 網關，透過阻止存取易受攻擊的 API 的 URL（連接埠 9182 和 9183 上的 /vnms/devicereg/device/* 和 /反之亦然/vnms/devicereg/device /* 在連接埠443 上）。

Affected Versa Director Versions

受影響的 Versa Director 版本

The vulnerability affects multiple versions of Versa Director, specifically those released before Sept. 9, 2024. This includes versions 22.1.4, 22.1.3, and 22.1.2, as well as all versions of 22.1.1, 21.2.3, and 21.2.2.

此漏洞影響Versa Director 的多個版本，特別是2024 年9 月9 日之前發布的版本。的所有版本。

Versions released on Sept. 12 and later contain a hot fix for the vulnerability.

9月12日及之後發布的版本包含針對該漏洞的熱修復。

The flaw primarily stems from APIs that, by design, do not require authentication. These include interfaces for logging in, displaying banners, and registering devices.

此缺陷主要源自於 API 在設計上不需要身份驗證。其中包括用於登入、顯示橫幅和註冊設備的介面。

Cyble Recommendations

循環推薦

Cyble researchers recommend the following mitigations and best practices for protecting Versa Director instances:

Cyble 研究人員建議採用以下緩解措施和最佳實踐來保護 Versa Director 實例：