search
Homeweb3.0Versa Director Flaw Leads to API Exploit, Affects SD-WAN Customers
Versa Director Flaw Leads to API Exploit, Affects SD-WAN CustomersSep 25, 2024 am 09:13 AM
Token TheftVersa Director API Attacks

Vulnerabilities in Versa Director are never a small matter, as the platform manages network configurations for Versa's SD-WAN software

Versa Director Flaw Leads to API Exploit, Affects SD-WAN Customers

A vulnerability in Versa Networks’ Versa Director, used by internet service providers (ISPs) and managed service providers (MSPs) to manage network configurations for Versa’s SD-WAN software, has been disclosed by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2024-45229, is rated 6.6 in severity and affects five versions of the software.

Organizations using vulnerable versions are advised to take immediate action to protect their networks by upgrading to a newer version. The advisory follows a high-severity vulnerability last month, CVE-2024-39717, which was used to attack downstream customers in a supply chain attack.

Cyble’s ODIN scanner currently shows 73 internet-exposed Versa Director instances, though it is not clear how many of them contain the latest vulnerability.

Versa Director Flaw Leads to API Exploit

Versa Director’s REST APIs are designed to facilitate automation and streamline operations through a unified interface, enabling IT teams to configure and monitor their network systems more efficiently. However, a flaw in the implementation of these APIs allows for improper input validation, Cyble threat intelligence researchers explained in a blog post.

The APIs in question are designed to not require authentication by default, making them accessible to anyone with network connectivity. An attacker could exploit this vulnerability by sending a specially crafted GET request to a Versa Director instance that is directly connected to the internet.

“For Versa Directors connected directly to the Internet, attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request,” Cyble said. “This could expose authentication tokens of currently logged-in users, which can then be used to access additional APIs on port 9183.”

While the exploit itself does not reveal user credentials, “the implications of token exposure could lead to broader security breaches.”

“The exposure of these tokens can allow attackers to access additional APIs,” Cyble said. “Such unauthorized access could facilitate broader security breaches, potentially impacting sensitive data and operational integrity.”

Versa suggests that a web application firewall (WAF) or API gateway could be used to protect internet-exposed Versa Director instances by blocking access to the URLs of the vulnerable APIs (/vnms/devicereg/device/* on ports 9182 and 9183 and /versa/vnms/devicereg/device/* on port 443).

Affected Versa Director Versions

The vulnerability affects multiple versions of Versa Director, specifically those released before Sept. 9, 2024. This includes versions 22.1.4, 22.1.3, and 22.1.2, as well as all versions of 22.1.1, 21.2.3, and 21.2.2.

Versions released on Sept. 12 and later contain a hot fix for the vulnerability.

The flaw primarily stems from APIs that, by design, do not require authentication. These include interfaces for logging in, displaying banners, and registering devices.

Cyble Recommendations

Cyble researchers recommend the following mitigations and best practices for protecting Versa Director instances:

The above is the detailed content of Versa Director Flaw Leads to API Exploit, Affects SD-WAN Customers. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node?Pi Node Teaching: What is a Pi Node? How to install and set up Pi Node?Mar 05, 2025 pm 05:57 PM

Detailed explanation and installation guide for PiNetwork nodes This article will introduce the PiNetwork ecosystem in detail - Pi nodes, a key role in the PiNetwork ecosystem, and provide complete steps for installation and configuration. After the launch of the PiNetwork blockchain test network, Pi nodes have become an important part of many pioneers actively participating in the testing, preparing for the upcoming main network release. If you don’t know PiNetwork yet, please refer to what is Picoin? What is the price for listing? Pi usage, mining and security analysis. What is PiNetwork? The PiNetwork project started in 2019 and owns its exclusive cryptocurrency Pi Coin. The project aims to create a one that everyone can participate

Top 10 virtual digital currency app platforms in the world, the top ten virtual currency trading platforms in 2025Top 10 virtual digital currency app platforms in the world, the top ten virtual currency trading platforms in 2025Mar 05, 2025 pm 08:00 PM

With the booming development of the virtual currency industry, virtual digital currency trading platforms around the world are becoming increasingly stronger. This article focuses on the top ten virtual digital currency app platforms in the world in 2025, including Binance, OKX, Gate.io, Kraken, Gemini, FTX, Bybit, KuCoin, Huobi and Coinbase. These platforms are known for their advanced features, a wide range of transaction pairs, low fees and stable performance, providing users with a wide range of virtual currency trading options.

Bitcoin [BTC] was on a downtrend after losing the $92,000-support level in the final week of FebruaryBitcoin [BTC] was on a downtrend after losing the $92,000-support level in the final week of FebruaryMar 16, 2025 am 10:10 AM

Technical indicators such as the OBV showed that selling pressure has been dominant, meaning more losses may be likely ahead.

Various ETF issuers compete to apply for Solana ETF! But why is BlackRock still absent?Various ETF issuers compete to apply for Solana ETF! But why is BlackRock still absent?Mar 03, 2025 pm 06:33 PM

Many ETF issuers are scrambling to apply for SolanaETF, but BlackRock is still holding back? This article will interpret this phenomenon. SolanaETF application boom The Securities and Exchange Commission (SEC) has accepted SolanaETF applications submitted by several institutions, including Bitwise, 21Shares, VanEck, CanaryCapital and Grayscale. Bloomberg predicts that the probability of Solana spot ETF being approved by the end of the year is as high as 70%, which is closely related to the Trump administration's friendly attitude towards cryptocurrencies. The establishment of Franklin's "Franklin SolanaTrust" also implies its potential application for SolanaETF. However, Sol

Understand the current situation and future of MEV on a single articleUnderstand the current situation and future of MEV on a single articleMar 04, 2025 pm 05:06 PM

Sui Blockchain's MEV (Maximum Extractable Value) strategy and future outlook MEV have become the core issues in the blockchain field, which are related to transaction sorting and arbitrage opportunities. Sui is committed to guiding the development of MEV through Sui Improvement Proposal (SIP) and other mechanisms, ensuring transparency, transaction security, network health, and participant rewards. In addition to existing mechanisms, more mechanisms are planned to be introduced to ensure that its core principles can effectively guide the evolution of MEVs on Sui. Design principles and considerations Sui's every transaction contains potential profit opportunities. Sui's MEV ecosystem consists of the following mechanisms: MEV transaction submission mechanism MEV opportunity release mechanism MEV

Qubetics ($TICS): The Revolutionizing AI CryptoQubetics ($TICS): The Revolutionizing AI CryptoMar 23, 2025 am 10:08 AM

Cryptocurrency has always been a realm where the cutting edge of technology meets bold ambition, and it's only getting more exciting in the future. As artificial intelligence continues to grow in influence, there are a handful of digital assets that

PI price forecast: How high can PI coins rise?PI price forecast: How high can PI coins rise?Mar 03, 2025 pm 07:27 PM

Since the launch of PiNetwork (PI)'s independent network, it has continued to attract the attention of the cryptocurrency community. In contrast to the recent sluggish performance of mainstream cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH) and Solana (SOL), the price of PI has risen against the trend. PI cryptocurrency: Binance listing may become a catalyst for price surge PINetwork (PI) price upward momentum Strong PI is currently priced at $1.6750, far higher than the previous low of $0.6020. Trading activity and investor interest continue to grow, and PI's future price trend has become the focus of market attention. PI market performance: Strong rebound and key resistance levels PI mainnet started at the beginning

Top 10 Free Virtual Currency Exchanges Rankings The latest top ten virtual currency APP trading platformsTop 10 Free Virtual Currency Exchanges Rankings The latest top ten virtual currency APP trading platformsMar 11, 2025 am 10:18 AM

The top ten free virtual currency exchanges are ranked: 1. OKX; 2. Binance; 3. Gate.io; 4. Huobi Global; 5. Kraken; 6. Coinbase; 7. KuCoin; 8. Crypto.com; 9. MEXC Global; 10. Bitfinex. These platforms each have their own advantages.

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

Atom editor mac version download

Atom editor mac version download

The most popular open source editor

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!