API security
cloud security
Cyber landscape
Cybersecurity
October 1, 2024

Versa is Vulnerable

As many of us know, APIs power applications across all industries, but API security is widely misunderstood. In this blog post, we’ll talk about a recent API security vulnerability in the Versa Director platform that left it open to attack.

Versa is Vulnerable

Versa Director is a virtualization platform used for the creation of services with Versa Networks software. The platform is used widely by ISPs and MSPs alike. However, recently, a vulnerability  was uncovered in Versa Director that could lead to API attacks and even token theft.

The Cybersecurity and Infrastructure Security Agency (CISA) brought this vulnerability to light and ranked it as a 6.6 level of severity, as it affects five versions of the software. As of right now, users are being urged to update to safer versions of the software to eliminate the risks of this vulnerability. While 6.6 is not in the range of critical severity, it’s important to note that there is evidence of active exploitation of this flaw in the wild.

The vulnerability in question…

If you’re familiar with our State of API Security 2024 report, you probably already know that the two biggest culprits when it comes to API security vulnerabilities are lack of proper authentication and authorization. 

In this case, the Versa Director APIs do not require proper authentication for login interfaces and more.

A large part of the problem is that Versa Director seems to value efficiency and quantity of output over quality. But there’s another related problem - their REST APIs facilitate automation through a united interface which allows for improper input validation in certain APIs that don’t require authentication.

According to a researcher at Cyble:

“Attackers could potentially exploit this vulnerability by injecting invalid arguments into a GET request”

The vulnerability does not expose user credentials, however, it could lead to larger breaches as the token exposure allows attackers to access additional APIs which could potentially involve sensitive data and security information.

One of these problems may be mitigated by a Web Application Firewall (WAF), however, as we’ve discussed in a previous post, WAFs alone are not enough for a strong API security posture.

What can we learn from this?

Versions of Versa Director updated after Sep 12, 2024, should be exempt from this vulnerability. However, that doesn’t mean users of the platform and similar software can rest easy. More and more often, we are seeing vulnerabilities like this go unchecked until outside researchers bring them to the company’s attention. It is especially alarming in cases like this, where the software in question is so widely used by many different types of developers.

So what can users do to stay vigilant? Unfortunately, a lot of these vulnerabilities are out of their control- it is the responsibility of the company itself to keep up with their API security posture, which requires a delicate dance between developers and security teams. Many companies value innovation over staying on top of their security posture, but as we’ve been seeing in 2024, this is no longer a mistake they can afford to make with the volume of attacks rising so rapidly.

The best thing the average user can do is stay on top of current cybersecurity news, and update their software versions whenever possible. To learn more about the state of API security today, download our report here, and to see how the FireTail platform can help with your company’s API security, start a free trial today.

Lina Romero

Related posts

The Problem with APIs
September 26, 2024

The Problem with APIs

APIs are everywhere and in every part of our lives. However, in recent years, attackers have been increasingly targeting APIs. So how do you secure an API, and whose responsibility is it?

Read more
Feeld Dating App API
September 20, 2024

Feeld Dating App API

APIs are used for everything, including dating apps. Feeld, a dating app targeted at multi-person relationships, recently faced an API vulnerability that exposed sensitive data, leaving users unsettled.

Read more
Escalating from Reader to Contributor in Azure API Management
September 19, 2024

Escalating from Reader to Contributor in Azure API Management

APIs can have many different types of security challenges, even those of tech giants such as Microsoft. In this blog, we’ll explore a recent vulnerability that affected Microsoft’s Azure API Management, and explore what that implies for the cloud shared responsibility model

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!