Cisco has released patches to address a zero-day vulnerability exploited in April. Tracked as CVE-2024-20399, the vulnerability impacts Cisco NX-OS Software. Successful exploitation of the vulnerability could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.
Cybersecurity firm Sygnia reported the vulnerability to Cisco along with the information about the exploit and the subsequent attack flow. The cybersecurity firm said the attacks are linked to a Chinese state-sponsored threat actor called Velvet Ant.
CISA acknowledged the active exploitation of CVE-2024-20399 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before July 23, 2024.
Cisco NX-OS is a network operating system (NOS) for Cisco Systems’ Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. The OS is built on a Linux-based software architecture designed to be modular, resilient, and serviceable. NX-OS is intended to help ensure continuous availability and set the standard for mission-critical data center environments.
Vulnerability Details
Despite having a Linux kernel as its foundation, NX-OS uses the NX-OS CLI to abstract away the underlying Linux environment and give its own set of commands. The vulnerability originates from the insufficient validation of arguments passed to specific configuration CLI commands.
An attacker must have administrator credentials to the Switch management console to exploit the vulnerability. An attacker may exploit the vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.
Affected Versions
The vulnerability affects the following Cisco products running a vulnerable release of Cisco NX-OS Software:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
Mitigation
Cisco has released patches to address the vulnerability. For more information, please refer to Cisco Security Advisory (cisco-sa-nxos-cmd-injection-xD9OhyOP).
Qualys Detection
Qualys customers can scan their devices with QID 317465 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP
