Cisco patches actively exploited zero-day flaw in Nexus switches

Cisco has released patches for several series of Nexus switches to fix a vulnerability that could allow attackers to hide the execution of bash commands on the underlying operating system.

Although the flaw is rated with moderate severity because it requires administrative credentials to exploit, it has been exploited in the wild since April, showing that attackers don’t target just critical or high-risk flaws.

[ Learn why Cisco made CSO’s list of most powerful cybersecurity companies | Sign up for CSO newsletters. ]

Tracked as CVE-2024-20399, the flaw is caused by insufficient validation of arguments passed with configuration commands to the command line interface of NX-OS software that powers various series of Cisco switches: MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode.

Chinese APT Velvet Ant has used the exploit

The vulnerability was detected in the wild by researchers from security firm Sygnia during their investigation into an attack by a Chinese state-sponsored APT group the company dubbed Velvet Ant. Sygnia’s report released in June highlighted that Velvet Ant persisted in the network of a large organization for over three years and used a compromised legacy F5 BIG-IP appliance for command and control.

However, in a July 1 update, the company revealed that Velvet Ant also exploited CVE-2024-20399 in order to execute malicious code and establish a foothold on Cisco Nexus switches.

“Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system,” the company said. “This lack of monitoring creates significant challenges in identifying and investigating malicious activities.”

But even if logs from switches were collected and monitored, exploitation of this vulnerability would not generate any log entries, according to Cisco.

“This vulnerability allows a user with administrator privileges to execute commands on the underlying operating system without enabling the bash-shell feature and without triggering system syslog messages showing that the user executed the run bash command,” the vendor said. “This could help a user with Administrator privileges hide the execution of shell commands on the device.”

Cisco recommends rotating admin credentials

Since the attack needs administrative privileges, in addition to installing patches Cisco also recommends monitoring and periodically rotating the credentials for the network-admin and vdc-admin accounts.

Modern attacks, especially cyber espionage attacks that aim to remain undetected for long periods of time, involve lateral movement activities that collect various credentials from compromised machines and devices.

The goal is to establish multiple footholds across the network so that if one implant is detected, the attackers don’t lose their entire access to the target. While initially breaking into a network might involve the exploitation of critical or high severity remote code execution flaws in internet-facing assets, lateral movement and stealth is often achieved by leveraging lower severity flaws such as privilege escalation ones or, in this NX-OS case, authenticated command injection.

More on vulnerabilities and exploits:

• OpenSSH vulnerability regreSSHion puts millions of servers at risk
• Microsoft fixes dangerous zero-click Outlook remote code execution exploit
• Critical PyTorch flaw puts sensitive AI data at risk