Patch Now: Cisco Zero-Day Under Fire From Chinese APT

Cisco has patched a command-line injection flaw in a network management platform used to manage switches in data centers, which, according to researchers from Sygnia, already has been exploited by the China-backed threat group known as Velvet Ant.

The bug (CVE-2024-20399, CVSS 6.0) can allow authenticated attackers to execute arbitrary command as root on the underlying operating system of an affected device. It's found in the command line interface (CLI) of Cisco NX-OS Software, which allows data center operations managers to troubleshoot and perform maintenance operations on NX-OS-enabled devices, which use the Linux kernel at their core.

"This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands," according to Cisco's advisory on the flaw. "An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command."

The flaw involves a bash-shell feature that's available on all supported Cisco NX-OS Software releases for Cisco Nexus series switches and some other products, according to Cisco. If a device is running a Cisco NX-OS Software release that does not support the bash-shell feature, a user with admin privileges could exploit this vulnerability to execute arbitrary commands on the underlying OS. If a device is running a Cisco NX-OS Software release that supports the bash-shell feature, an admin user can access the underlying OS directly using the feature.

The flaw affects the following Cisco devices: MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in standalone NX-OS mode. Cisco has released updates that patch the flaw in the affected devices, it said.

Because an attacker must have admin credentials to exploit CVE-2024-20399, the flaw is rated only medium risk — but even so, it's already being exploited, so patching it should take priority.

Velvet Ant Swarms on CVE-2024-20399

Indeed, the 6.0 CVSS rating didn't stop Velvet Ant from exploiting the flaw to execute arbitrary commands on the underlying Linux OS of a Cisco Nexus switch by using valid administrator credentials to the Switch management console, according to a blog post by the Sygnia team.

NX-OS is based on a Linux kernel; however, it abstracts away the underlying Linux environment and provides its own set of commands using the NX-OS CLI, according to the post. Thus, "in order to execute commands on the underlaying Linux operating system from the Switch management console, an attacker would need a 'jailbreak' type of vulnerability to escape the NX-OS CLI context," which CVE-2024-20399 provides, according to Sygnia.

Velvet Ant's exploitation of the flaw — part of a multiyear campaign revealed by Sygnia and reported by Dark Reading in June — "led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," the Sygnia team wrote.

Hopping on Cisco flaws is a favorite pastime of nation-state cyberattackers: For example, an unrelated attack campaign dubbed ArcaneDoor identified in April also targeted Cisco devices to deliver two custom-built backdoors by exploiting zero-day flaws to target the perimeter of government networks within a global cyber-espionage campaign.

Patch Now & Mitigate Further Cisco Vuln Risk

Cisco Nexus switches are prevalent in enterprise environments, especially within data centers, and aren't typically exposed to the Internet. But gaining valid admin-level credentials and network access to those devices is an attractive proposition for advanced persistent threats (APTs) like Velvet Ant, which tend to target unguarded switches and other network appliances to achieve persistence and execute commands during cyberattacks, according to Sygnia.

That means affected organizations should follow Cisco's instructions for patching any vulnerable devices present on a network. Organizations can use Cisco's Software Checker to see if their environments are vulnerable.

"Despite the substantial prerequisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances — which are often not sufficiently protected and monitored — to maintain persistent network access," the Sygnia team wrote.

Harden Network Environments

The incident also highlights the "critical importance of adhering to security best practices as a mitigation against this type of threat," according to Sygnia, which recommended that organizations harden their environments in a variety of ways.

These recommendations include restricting administrator access to network equipment by using a privileged access management (PAM) solution or a dedicated, hardened, jump server with multifactor authentication (MFA) enforced. Organizations also can use central authentication, authorization, and accounting management for users to help streamline and enhance security, especially in environments with numerous switches.

Network administrators also should restrict switches from initiating outbound connections to the Internet to reduce the risk of them being exploited by external threats, or used to communicate with malicious actors.

Finally, as a general rule, organizations also should enforce a strong password policy and maintain good password hygiene so passwords don't fall into the wrong hands, according to Sygnia, as well as maintain regular patch schedules to update devices and avoid leaving them vulnerable.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals: including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!