CVE-2024-39717: How a simple PNG file can hack your computer

Friend

Professional
Messages
2,675
Reaction score
1,002
Points
113
CISA gave U.S. federal agencies three weeks to secure their networks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability affecting the Versa Director platform to its catalog of known exploited vulnerabilities (KEVs). The decision is based on confirmed data on the active use of this vulnerability by attackers.

We are talking about a moderate vulnerability registered under the code CVE-2024-39717 with a CVSS score of 6.6. The problem lies in the file upload feature in the "Change Favicon" interface, which allows an attacker to upload a malicious file disguised as an innocuous PNG image.

Versa Director is a software platform designed to manage network infrastructure in organizations using Versa Networks solutions. It provides a centralized interface for deploying, configuring, and monitoring a wide range of network functions, including software-defined networking (SD-WAN), security, and application optimization.

To successfully exploit CVE-2024-39717, an attacker needs a user with the appropriate privileges (Provider-Data-Center-Admin or Provider-Data-Center-System-Admin) to successfully authenticate and log in.

While the exact circumstances of the use of CVE-2024-39717 remain unclear, the U.S. National Vulnerability Database (NVD) reports that Versa Networks has confirmed one instance of a customer being attacked. At the same time, it is noted that the client did not implement the recommendations for configuring a firewall released in 2015 and 2017, which allowed the attacker to exploit the vulnerability without using a graphical interface.

All federal agencies of the U.S. Executive Branch (FCEB) are required to take steps to protect against this vulnerability by installing patches from the vendor by September 13, 2024.

The news comes on the heels of CISA's recent addition to the KEV catalog of other vulnerabilities identified in 2021 and 2022. Among them, for example:
  • CVE-2021-33044 and CVE-2021-33045 (CVSS score 9.8): Authentication bypass vulnerability in Dahua IP cameras;
  • CVE-2024-28987 (CVSS score 9.1): A vulnerability in hard-coded web support credentials
  • CVE-2024-23897 (CVSS score 9.8) is a path bypass vulnerability in the Jenkins CLI that can lead to arbitrary code execution.

Cybersecurity is an ongoing process that requires constant vigilance and timely updating of systems. Even small omissions in settings or ignoring manufacturers' recommendations can lead to serious consequences.

It is important to remember that attackers are constantly looking for new ways to bypass protection, and only a comprehensive approach to security, including regular updates, threat monitoring and staff training, can provide reliable protection of information systems.

Source
 
Top