CVE-2024-42450

Name of the Vulnerable Software and Affected Versions Versa Director versions prior to 22.1.4

Description The issue is related to the use of default credentials in the configuration with PostgreSQL, allowing an unauthenticated attacker to access and administer the database, read local filesystem contents, and potentially escalate privileges on the system. The default configuration of Versa Director configures Postgres to listen on all network interfaces, which contributes to the vulnerability. There is a proof of concept in a lab environment, but Versa Networks is not aware of this exploitation in any production systems. Over 1,000 results have been found, indicating potential widespread impact.

Recommendations For versions prior to 22.1.4, perform manual hardening of HA ports by following the steps provided in the Versa Networks documentation. Starting with version 22.1.4, the software automatically restricts access to the Postgres and HA ports to only the local and peer Versa Directors. As a temporary workaround, consider restricting access to the Postgres database and HA ports to minimize the risk of exploitation.