Cisco Nexus networking equipment's undisclosed vulnerability sounds alarm bells, disregarding the CVSS rating.
Breaking News: Critical Zero-Day Vulnerability Affects Cisco NX-OS Software
A zero-day vulnerability, identified as CVE-2024-20399, has been discovered in Cisco NX-OS software, posing a significant risk to network infrastructure. This vulnerability is currently being exploited by a sophisticated threat actor known as Velvet Ant, with ties to China [1].
Current Status
The vulnerability is recognized as a known exploited vulnerability as of July 2024, and while Cisco continues to release additional fixes, it is listed as "Ready" but "Not Supported" in some mitigation content packs [1]. This suggests that there may not be an official patch or ongoing vendor support for this specific issue at this time.
Impact
The vulnerability allows attackers to escape the limited command-line interface (CLI) environment of NX-OS and execute arbitrary Linux commands with root privileges on network switches. This complete control over network switches can facilitate further attacks or network disruption [2].
Recommended Actions and Workarounds
Given the urgency of the situation and the potential lack of immediate official patches or direct vendor support, the following actions are recommended:
- Implement network segmentation and strict access controls to limit access to vulnerable NX-OS devices.
- Monitor network devices closely for unusual CLI or Linux command executions and signs of compromise.
- Use Cisco’s advisories and follow any vendor-issued interim mitigations or configuration changes that reduce the attack surface.
- Employ intrusion detection and prevention systems to detect exploitation patterns relating to command injection.
- Consider disabling or restricting CLI access from untrusted sources until a patch is available.
Summary
CVE-2024-20399 is a critical command injection zero-day affecting Cisco NX-OS, allowing root-level command execution on switches, bypassing CLI security. Immediate protective measures focus on network controls, monitoring, and applying Cisco security advisories, as direct patches or vendor mitigations may currently be unavailable or delayed [1][2].
The vulnerability affects a wide range of Cisco Nexus devices, and the Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities catalog. The custom malware deployed by Velvet Ant allows for code execution and traffic tunneling, granting the hacker continuous access to the network without needing to log in.
Cisco has released software updates for some NX-OS hardware platforms to address the vulnerability. It is essential to track Cisco's official security advisories and apply updates as soon as they are released. Network appliances, including switches, are often not monitored, and logs are not sent to a centralized logging system, making it crucial to implement robust security measures to protect your network infrastructure.
- The malware deployed by the hacker group Velvet Ant, with ties to China, is taking advantage of the known exploited vulnerability, CVE-2024-20399, in Cisco NX-OS software, which poses a significant risk to network infrastructure.
- As of July 2024, while Cisco continues to release additional fixes, there may not be an official patch or ongoing vendor support for this vulnerability, necessitating immediate incident response actions.
- Given the urgent situation, cybersecurity measures such as network segmentation, access controls, intrusion detection and prevention systems, and monitoring network devices closely are recommended to guard against this command injection vulnerability.
- This critical zero-day vulnerability and the malware made to exploit it have garnered attention in the general-news and crime-and-justice sectors, highlighting the importance of robust technology security in safeguarding network infrastructures.
