Tuesday, November 5, 2024
HomeCiscoCisco NX-OS Zero-Day Command Injection Vulnerability Let Hackers Gain Root Access

Cisco NX-OS Zero-Day Command Injection Vulnerability Let Hackers Gain Root Access

Published on

Malware protection

Cisco has disclosed a critical vulnerability in its widely-used NX-OS network operating system that could allow attackers to execute arbitrary commands with root privileges on affected devices.

The company urges customers to upgrade to patched versions as soon as possible.

The vulnerability tracked as CVE-2024-20399 exists in the command-line interface (CLI) of NX-OS due to insufficient validation of arguments passed to specific configuration commands.

- Advertisement - SIEM as a Service

An authenticated local attacker with administrator credentials could exploit this flaw by entering crafted input as an argument.

Successful exploitation would allow the attacker to run commands on the underlying operating system as the root user, enabling full device compromise.

Cisco notes that the vulnerability is being actively exploited in the wild as of April 2024.

A wide range of Cisco data center and networking products are impacted if running vulnerable NX-OS versions, including:

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000, 5500, 5600, 6000, 7000, and 9000 Series Switches

However, with some exceptions, Nexus 9000 Series switches are unaffected on releases 9.3 and later.

Devices with the bash-shell feature available, such as Nexus 3000 and 9000 switches and Nexus 7000 on release 8.1+, do not grant extra privileges but still allow an admin to hide the execution of shell commands.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Attacks & Mitigation

In April 2024, the Cisco Product Security Incident Response Team (PSIRT) identified active exploitation of this vulnerability.

Cybersecurity firm Sygnia attributed these attacks to Velvet Ant, a Chinese state-sponsored threat actor, which used the flaw to deploy custom malware on compromised devices.

The malware enables remote connection, file upload, and malicious code execution without triggering system syslog messages, effectively concealing the attack.

Cisco offers the Cisco Software Checker tool to determine exposure and find the appropriate software updates.

This tool identifies impacted software releases and the earliest fixed versions, accessible on the Cisco Software Checker page.

Organizations using affected Cisco products should prioritize applying the necessary patches and continuously monitor their network for any signs of compromise.

Cisco has released patched NX-OS versions addressing the vulnerability and advises customers to upgrade as soon as possible.

No workarounds are available—the company credits cybersecurity firm Sygnia for reporting the flaw.

Network administrators should review the detailed advisory, determine their exposure via the Cisco Software Checker tool, and plan their upgrades as there is no workaround for this vulnerability.

Regularly changing admin credentials is also recommended as a best practice. Cisco TAC and support partners are available to assist customers as needed.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Hackers Using AV/EDR Bypass Tool From Cybercrime Forums To Bypass Endpoints

Researchers uncovered two previously unknown endpoints with older Cortex XDR agents that used to...

Hackers Created 100+ Fake Web Stores To Steal Millions Of Dollars From Customers

The Phish, 'n' Ships fraud operation leverages, compromised websites to redirect users to fake...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Hackers Using AV/EDR Bypass Tool From Cybercrime Forums To Bypass Endpoints

Researchers uncovered two previously unknown endpoints with older Cortex XDR agents that used to...