In a recent development, Cisco has addressed a command-line injection vulnerability in its network management platform used for managing switches in data centers. Researchers from Sygnia revealed that the flaw had already been exploited by the China-backed threat group known as Velvet Ant.
The vulnerability, known as CVE-2024-20399 and rated at 6.0 on the CVSS scale, allows authenticated attackers to execute arbitrary commands with root privileges on the underlying operating system of the affected device. This bug was found in the command line interface (CLI) of Cisco NX-OS Software, which is used by data center operations managers for troubleshooting and maintenance operations on NX-OS-enabled devices.
According to Cisco’s advisory, the flaw is a result of insufficient validation of arguments passed to specific configuration CLI commands. This allows attackers to include crafted input as arguments, leading to the exploitation of the vulnerability.
The vulnerability affects various Cisco devices including the MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in standalone NX-OS mode. Cisco has released updates to patch the flaw in these affected devices.
Although the vulnerability requires admin credentials to exploit, it is still considered a medium risk. However, despite the rating, the flaw has already been exploited by Velvet Ant. The threat group used the vulnerability to execute arbitrary commands on the underlying Linux OS of a Cisco Nexus switch, gaining remote access to compromised devices and executing custom malware.
This incident underscores the importance of promptly applying patches to mitigate further risks posed by vulnerabilities in Cisco devices. Organizations are advised to follow Cisco’s instructions for patching vulnerable devices and use tools like the Software Checker to determine if their environments are at risk.
Furthermore, the incident emphasizes the need for organizations to adhere to security best practices to protect their network environments. Recommendations include restricting administrator access to network equipment, implementing privileged access management solutions, enforcing multifactor authentication, and maintaining strong password policies. Regular patching of devices is also crucial to avoid leaving them vulnerable to exploitation.
In conclusion, the exploitation of the CVE-2024-20399 vulnerability by Velvet Ant highlights the persistent threat posed by sophisticated threat actors targeting network appliances. Organizations must remain vigilant, apply security best practices, and promptly patch vulnerabilities to safeguard their network environments from malicious actors.