A critical vulnerability in the Command Line Interface (CLI) of Cisco NX-OS Software is currently under active exploitation, allowing attackers to execute arbitrary commands as root on affected devices.
This zero-day flaw, identified as CVE-2024-20399, poses a significant threat to network security, particularly for organizations utilizing Cisco’s Nexus and MDS series switches.
The vulnerability arises from insufficient validation of arguments passed to specific configuration CLI commands.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
An authenticated, local attacker with administrator credentials can exploit this flaw by providing crafted input as an argument for an affected configuration CLI command.
Successful exploitation grants the attacker root privileges on the underlying operating system, enabling the execution of arbitrary commands.
Impacted Products
The following Cisco products are affected if they are running a vulnerable release of Cisco NX-OS Software:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
Notably, certain models within the Nexus 3000 and Nexus 9000 series are not affected if they are running Cisco NX-OS Software releases 9.3(5) and later, with specific exceptions like the N3K-C3264C-E and N9K-C92348GC-X models, which require further updates to versions 10.4.3 and later.
Exploitation and Mitigation
The Cisco Product Security Incident Response Team (PSIRT) became aware of this vulnerability’s active exploitation in April 2024. Cybersecurity firm Sygnia linked these attacks to a Chinese state-sponsored threat actor, Velvet Ant, who utilized the flaw to deploy custom malware on compromised devices.
This malware allows remote connection, file upload, and malicious code execution without triggering system syslog messages, thereby concealing the attack.
Cisco has released software updates to address this vulnerability. However, there are no workarounds available.
Administrators are urged to apply the updates promptly and regularly monitor and change the credentials for administrative users, such as network-admin and vdc-admin, to mitigate potential risks.
Cisco provides the Cisco Software Checker tool to determine exposure and find the appropriate software updates. This tool helps identify impacted software releases and the earliest fixed versions. Administrators can access this tool on the Cisco Software Checker page.
Organizations using affected Cisco products should prioritize applying the necessary patches and continuously monitor their network for any signs of compromise.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files