Cisco Warns of NX-OS Zero-day Exploited to Deploy Custom Malware

Summary:
Cisco has patched a zero-day vulnerability in NX-OS that was exploited in April to install previously unknown malware on vulnerable switches. The cybersecurity firm Sygnia reported the incidents to Cisco, attributing the attacks to a Chinese state-sponsored threat actor, Velvet Ant. Amnon Kushnir, Director of Incident Response at Sygnia, revealed that Velvet Ant used administrator-level credentials to access Cisco Nexus switches and deploy custom malware. This malware allowed the attackers to remotely connect to compromised devices, upload additional files, and execute malicious code.

The vulnerability, tracked as CVE-2024-20399, can be exploited by local attackers with Administrator privileges to execute arbitrary commands with root permissions on the device's operating system. Cisco explained that the flaw is due to insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command, potentially allowing the execution of arbitrary commands with root privileges.

Security Officer Comments:
Affected devices include multiple switches running vulnerable NX-OS software, such as:

  • MDS 9000 Series
  • Nexus 3000 Series
  • Nexus 5500 Platform
  • Nexus 5600 Platform
  • Nexus 6000 Series
  • Nexus 7000 Series
  • Nexus 9000 Series switches in standalone NX-OS mode.

The flaw also enables attackers to execute commands without triggering syslog messages, thereby concealing signs of compromise.

Suggested Corrections:
Cisco advises customers to regularly monitor and change the credentials of network-admin and vdc-admin users to mitigate this risk. Admins can use the Cisco Software Checker page to determine whether their devices are exposed to the CVE-2024-20399 vulnerability.

Advisory:
https://sec.cloudapps.cisco.com/sec...Advisory/cisco-sa-nxos-cmd-injection-xD9OhyOP

Link(s):


https://www.bleepingcomputer.com/ne...-zero-day-exploited-to-deploy-custom-malware/


https://sec.cloudapps.cisco.com/sec...Advisory/cisco-sa-nxos-cmd-injection-xD9OhyOP

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats