Cisco has released patches for several Nexus switch series to address a vulnerability that allows attackers to execute bash commands in the underlying operating system by exploiting an insufficient validation of arguments passed with configuration commands. This flaw, identified as CVE-2024-20399, affects various Cisco switches including MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches.
Security firm Sygnia discovered the vulnerability during an investigation into a Chinese state-sponsored APT group known as Velvet Ant. This group persisted on a large organization’s network for more than three years, using a compromised F5 BIG-IP appliance for command and control. Cisco confirmed that Velvet Ant also exploited CVE-2024-20399 to execute malicious code on Cisco Nexus switches.
The ability of attackers to hide their activity by exploiting this vulnerability poses challenges as switch logs are often unmonitored and not sent to centralized logging systems. Even if switch logs were collected and monitored, exploiting this vulnerability does not generate any log entries, making detection difficult. Cisco recommends regularly monitoring and rotating network-admin and vdc-admin credentials in addition to installing patches to mitigate the risk of exploitation.
The attack requires administrative privileges, highlighting the importance of securing these credentials to prevent unauthorized access. Modern cyber espionage attacks involve lateral movement activities that aim to establish multiple footholds across the network, allowing attackers to maintain access even if one implant is detected. While initial breaches may involve exploiting critical vulnerabilities, lateral movement and stealth are often achieved by leveraging lower-severity flaws like authenticated command injection.
In conclusion, organizations using Cisco Nexus switches should apply the latest patches to address the CVE-2024-20399 vulnerability and take steps to enhance credential security and monitoring to prevent unauthorized access and reduce the risk of stealthy attacks by threat actors. Vigilance and proactive security measures are crucial in protecting against evolving cyber threats in the current threat landscape.
Article Source
https://www.csoonline.com/article/2512990/cisco-patches-actively-exploited-zero-day-flaw-in-nexus-switches.html/amp/