As many of us know, APIs power applications across all industries, but API security is widely misunderstood. In this blog post, we’ll talk about a recent API security vulnerability in the Versa Director platform that left it open to attack.
Versa Director is a virtualization platform used for the creation of services with Versa Networks software. The platform is used widely by ISPs and MSPs alike. However, recently, a vulnerability was uncovered in Versa Director that could lead to API attacks and even token theft.
The Cybersecurity and Infrastructure Security Agency (CISA) brought this vulnerability to light and ranked it as a 6.6 level of severity, as it affects five versions of the software. As of right now, users are being urged to update to safer versions of the software to eliminate the risks of this vulnerability. While 6.6 is not in the range of critical severity, it’s important to note that there is evidence of active exploitation of this flaw in the wild.
If you’re familiar with our State of API Security 2024 report, you probably already know that the two biggest culprits when it comes to API security vulnerabilities are lack of proper authentication and authorization.
In this case, the Versa Director APIs do not require proper authentication for login interfaces and more.
A large part of the problem is that Versa Director seems to value efficiency and quantity of output over quality. But there’s another related problem - their REST APIs facilitate automation through a united interface which allows for improper input validation in certain APIs that don’t require authentication.
According to a researcher at Cyble:
“Attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request”
The vulnerability does not expose user credentials, however, it could lead to larger breaches as the token exposure allows attackers to access additional APIs which could potentially involve sensitive data and security information.
One of these problems may be mitigated by a Web Application Firewall (WAF), however, as we’ve discussed in a previous post, WAFs alone are not enough for a strong API security posture.
Versions of Versa Director updated after Sep 12, 2024, should be exempt from this vulnerability. However, that doesn’t mean users of the platform and similar software can rest easy. More and more often, we are seeing vulnerabilities like this go unchecked until outside researchers bring them to the company’s attention. It is especially alarming in cases like this, where the software in question is so widely used by many different types of developers.
So what can users do to stay vigilant? Unfortunately, a lot of these vulnerabilities are out of their control- it is the responsibility of the company itself to keep up with their API security posture, which requires a delicate dance between developers and security teams. Many companies value innovation over staying on top of their security posture, but as we’ve been seeing in 2024, this is no longer a mistake they can afford to make with the volume of attacks rising so rapidly.
The best thing the average user can do is stay on top of current cybersecurity news, and update their software versions whenever possible. To learn more about the state of API security today, download our report here, and to see how the FireTail platform can help with your company’s API security, start a free trial today.