Versa Director PostgreSQL Configuration Vulnerability
CVE-2024-42450

10CRITICAL

Key Information:

Vendor: Versa
Status: Director
Vendor: CVE Published:; 19 November 2024

What is CVE-2024-42450?

The Versa Director leverages PostgreSQL for managing operational and configuration data essential for its High Availability (HA) features. A critical misconfiguration allows the database to listen on all network interfaces while utilizing a universal default password across all instances. This vulnerability enables an unauthenticated attacker to gain access, administer the database, and potentially escalate privileges through local filesystem access. Although Versa Networks has not identified any instances of exploitation in live environments, a proof-of-concept exists in experimental settings. Recommended mitigations include upgrading to version 22.1.4 or implementing manual hardening protocols for earlier versions, ensuring HA ports are restricted appropriately. Stringent adherence to firewall guidelines further protects against exploitation.

Affected Version(s)

Director 22.1.4

References

https://security-portal.versa-networks.com/emailbulletins...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2024
Vulnerability Reserved
Aug 2, 2024