Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Versa Networks Patches Vulnerability Exposing Authentication Tokens

Versa Networks has released patches for a Versa Director vulnerability for which proof-of-concept (PoC) code exists.

Versa Networks has announced patches for a vulnerability in the virtualization and service creation platform Versa Director, warning that proof-of-concept (PoC) code for it exists.

Tracked as CVE-2024-45229 (CVSS score of 6.6), the vulnerability is related to the REST API in Versa Director that is used for orchestration and management, and could lead to the exposure of authentication tokens.

Some of these APIs, including those used for the login screen, banner display, and device registration, do not require authentication by default.

“However, it was discovered that for Directors directly connected to the Internet, one of these APIs can be exploited by injecting invalid arguments into a GET request, potentially exposing the authentication tokens of other currently logged-in users,” Versa explains in an advisory.

An attacker able to obtain other users’ tokens could then use them to invoke additional APIs on port 9183, the network management company explains.

Versa notes that the vulnerability cannot be used to expose usernames and passwords and that, if the Versa Director is deployed behind a firewall or API gateway, the security solution “can be used to block access to the URLs of vulnerable API”.

“This vulnerability is not exploitable on Versa Directors not exposed to the internet. We have validated that no Versa-hosted head ends have been affected by this vulnerability,” the company says.

Versa has released hot fixes for Director versions 22.1.4, 22.1.3, 22.1.2, and 21.2.3, and recommends that all users update to the latest releases as soon as possible. Those using Director versions 22.1.1 and 21.2.2 should upgrade to the patched 22.1.3 and 21.2.3 iterations, respectively.

Advertisement. Scroll to continue reading.

“Versa Networks is not aware of this exploitation in any production systems. A proof of concept exists in the lab environment,” the company says.

On Friday, the US cybersecurity agency CISA drew attention to Versa’s advisory, urging organizations to apply the necessary updates and hunt for any malicious activity in their environments.

Related: Android’s September 2024 Update Patches Exploited Vulnerability

Related: GitLab Security Update Patches Critical Vulnerability

Related: Offense Intended: How Adversarial Emulation Went From State Secret To Board Bullet Point

Related: Versa Networks Raises $120 Million in Pre-IPO Funding Round

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.