Cisco NX-OS Zero-Day Command Injection Flaw Under Active Attack
A principal vulnerability in the Repeat Line Interface (CLI) of Cisco NX-OS Instrument is for the time being below filled with life exploitation, permitting attackers to attain arbitrary commands as root on affected gadgets.
This zero-day flaw, is called CVE-2024-20399, poses a serious threat to community security, in particular for organizations utilizing Cisco’s Nexus and MDS sequence switches.
The vulnerability arises from insufficient validation of arguments handed to explicit configuration CLI commands.
An authenticated, native attacker with administrator credentials can exploit this flaw by offering crafted enter as an argument for an affected configuration CLI present.
Winning exploitation grants the attacker root privileges on the underlying operating system, enabling the execution of arbitrary commands.
Impacted Products
The following Cisco products are affected in the event that they are working a inclined open of Cisco NX-OS Instrument:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
Critically, certain gadgets right through the Nexus 3000 and Nexus 9000 sequence are no longer affected in the event that they are working Cisco NX-OS Instrument releases 9.3(5) and later, with explicit exceptions esteem the N3K-C3264C-E and N9K-C92348GC-X gadgets, which require extra updates to versions 10.4.3 and later.
Exploitation and Mitigation
The Cisco Product Security Incident Response Workforce (PSIRT) grew to alter into privy to this vulnerability’s filled with life exploitation in April 2024. Cybersecurity firm Sygnia linked these assaults to a Chinese language disclose-subsidized threat actor, Velvet Ant, who utilized the flaw to deploy custom malware on compromised gadgets.
This malware lets in distant connection, file add, and malicious code execution with out triggering system syslog messages, thereby concealing the attack.
Cisco has released machine updates to deal with this vulnerability. Nonetheless, there don’t appear to be any workarounds readily obtainable.
Directors are urged to note the updates promptly and steadily video show and change the credentials for administrative users, reminiscent of community-admin and vdc-admin, to mitigate probably risks.
Cisco offers the Cisco Instrument Checker machine to accumulate out publicity and accumulate the right machine updates. This machine helps establish impacted machine releases and the earliest fastened versions. Directors can gain admission to this machine on the Cisco Instrument Checker page.
Organizations using affected Cisco products could well perhaps well also merely mute prioritize making expend of the principal patches and consistently video show their community for any indicators of compromise.
Source credit : cybersecuritynews.com