Cisco on Monday announced patches for a medium-severity zero-day vulnerability in the NX-OS software that has been exploited by a China-linked cyberespionage threat actor.
Tracked as CVE-2024-20399 (CVSS score of 6), the security defect impacts the command line interface of NX-OS and could allow a local attacker to execute arbitrary commands on the underlying operating system, with root privileges.
“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command,” Cisco explains in an advisory.
The tech giant also underlines that an attacker needs to be authenticated as an administrator on a vulnerable device to successfully exploit this bug.
“In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild,” Cisco notes.
CVE-2024-20399 impacts Cisco’s MDS 9000 series, Nexus 3000 series, Nexus 5500 platform, Nexus 5600 platform, Nexus 6000 series, Nexus 7000 series, and Nexus 9000 series switches. The tech giant has released firmware updates for all affected products.
The vulnerability was discovered and reported by cybersecurity firm Sygnia, which observed it being targeted in a cyberespionage campaign attributed to a China-linked threat actor tracked as ‘Velvet Ant’.
Last month, Sygnia revealed that Velvet Ant was seen maintaining access to an organization’s network for years by compromising internet-exposed legacy F5 BIG-IP appliances and deploying multiple tools to relay command-and-control (C&C) communication.
“Velvet Ant used outdated F5 BIG-IP equipment as internal command-and-control (C&C) servers to stay under the radar in a bid to maintain multiple footholds to the target network and methodically obtain private data, including financial and customer information,” Sygnia told SecurityWeek.
The hacking group exploited the Cisco NX-OS bug to execute previously unknown malware on the affected devices, to connect remotely to them, upload additional files, and execute more code.
The cybersecurity firm explains that the vulnerability can only be exploited if the attacker has network access to the vulnerable device and is in the possession of administrator credentials.
“Given that most Nexus switches are not directly exposed to the internet, a threat group must first achieve initial access to the organization’s internal network to exploit this vulnerability. Consequently, the overall risk to organizations is reduced by the inherent difficulty in obtaining the necessary access,” Sygnia explains.
However, the cybersecurity firm also points out that, despite difficulties in exploiting flaws like CVE-2024-20399, sophisticated threat actors, such as Velvet Ant, tend to target insufficiently protected network appliances for persistent access to enterprise environments.
“Updating the systems of affected devices is the primary mitigation strategy for licensed devices. For cases in which software updates are not available, this incident demonstrates the critical importance of adopting security best practices to prevent access to devices in the first place,” Sygnia notes.
Related: Cisco Patches Webex Bugs Following Exposure of German Government Meetings
Related: Cisco Patches High-Severity Vulnerability in SD-WAN vManage
Related: Cisco Warns of Vulnerability in Discontinued Small Business Routers
Related: Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence
