CVE-2024-45208
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-06-23
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-45208 is a vulnerability in the Versa Director SD-WAN orchestration platform related to its High Availability (HA) communication ports (TCP ports 4566 and 4570). These ports are used for communication between Active and Standby Director nodes using a shared password. The vulnerability allows an attacker who can access the Versa Director to exploit the NCS service on port 4566 to perform unauthorized administrative actions and potentially execute remote code. This is possible because the affected versions bind these ports on all interfaces, making them accessible beyond the intended HA nodes if not properly restricted. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain unauthorized administrative access to the Versa Director platform and execute remote code. This could lead to full compromise of the system, disruption of SD-WAN orchestration, unauthorized changes, and potential deployment of malicious artifacts. Indicators of compromise include suspicious files such as '.temp.data' in /tmp/ and unexpected favicon.png files with incorrect mime-types. Immediate impacts include loss of control over network orchestration and potential exposure of sensitive network configurations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying that TCP ports 4566 and 4570 are not accessible from unauthorized sources, especially Internet-facing interfaces. Attempts to establish a TCP connection (3-way handshake) to these ports from an external host should fail. Indicators of compromise include suspicious files such as ".temp.data" in /tmp/, and unexpected favicon.png files in /var/versa/vnms/web/ and /opt/versa/vnms/apache-tomcat/webapps/versa/dist/. The mime-type of these favicon.png files should be verified to be "image/png"; any deviation suggests compromise. Commands to check connectivity include using tools like 'telnet' or 'nc' (netcat) from an external host to test TCP connection to ports 4566 and 4570. For example: `telnet <versa_director_ip> 4566` or `nc -vz <versa_director_ip> 4566`. Checking for suspicious files can be done with commands like `ls -l /tmp/.temp.data` and `file /var/versa/vnms/web/favicon.png` to verify mime-type. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Stopping Director services on both active and standby nodes using the command `vsh stop`. 2) Blocking TCP ports 4566 and 5432 on Internet-facing interfaces, especially via edge firewall rules. 3) Running the script `/opt/versa/vnms/scripts/secure-utils.sh --secure-ha-ports enable` on both active and standby nodes to restrict HA port access only to peer nodes. 4) Deleting suspicious favicon files such as `/var/versa/vnms/web/custom_favicon/favicon.png` if present. Additionally, following the Versa Director hardening guide to secure HA communication, enforce strong passwords, use signed SSL certificates, and restrict access to HA ports is recommended. [1, 2]