CVE-2024-42450 (CVSS 10): Versa Networks Addresses Critical Vulnerability in Versa Director
Versa Networks has issued a security advisory addressing a critical vulnerability (CVE-2024-42450) affecting its Versa Director software. The vulnerability, which carries a CVSS score of 10, could allow unauthenticated attackers to access sensitive data, escalate privileges, and potentially execute arbitrary code on vulnerable systems.
The vulnerability stems from the default configuration of PostgreSQL (Postgres), the database used by Versa Director for storing operational and configuration data. The combination of a common default password and Postgres listening on all network interfaces exposes the database to potential attackers.
“By default, Versa Director configures Postgres to listen on all network interfaces. This combination allows an unauthenticated attacker to access and administer the database or read local filesystem contents to escalate privileges on the system,” reads the security bulletin.
Affected Versions and Remediation
The CVE-2024-42450 vulnerability affects various versions of Versa Director, including 22.1.4, 22.1.3, 22.1.2, 22.1.1, 21.2.3, and 21.2.2. Versa Networks has released a hotfix for version 22.1.4 and recommends manual hardening of HA ports for older releases.
“Starting with the latest 22.1.4 version of Versa Director, the software will automatically restrict access to the Postgres and HA ports to only the local and peer Versa Directors. For older releases, Versa recommends performing manual hardening of HA ports,” the company notes.
Mitigation and Best Practices
Versa Networks emphasizes that implementing the published firewall guidelines can prevent exploitation of this vulnerability. Additionally, the company has confirmed that all Versa-hosted head ends have been patched and hardened.
Users of affected Versa Director versions are strongly urged to apply the hotfix or implement the recommended mitigation steps immediately.
