Sunday, July 14, 2024

Cisco NX-OS Zero-Day Command Injection Vulnerability Let Hackers Gain Root Access

Cisco has disclosed a critical vulnerability in its widely-used NX-OS network operating system that could allow attackers to execute arbitrary commands with root privileges on affected devices.

The company urges customers to upgrade to patched versions as soon as possible.

The vulnerability tracked as CVE-2024-20399 exists in the command-line interface (CLI) of NX-OS due to insufficient validation of arguments passed to specific configuration commands.

An authenticated local attacker with administrator credentials could exploit this flaw by entering crafted input as an argument.

Successful exploitation would allow the attacker to run commands on the underlying operating system as the root user, enabling full device compromise.

Cisco notes that the vulnerability is being actively exploited in the wild as of April 2024.

A wide range of Cisco data center and networking products are impacted if running vulnerable NX-OS versions, including:

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000, 5500, 5600, 6000, 7000, and 9000 Series Switches

However, with some exceptions, Nexus 9000 Series switches are unaffected on releases 9.3 and later.

Devices with the bash-shell feature available, such as Nexus 3000 and 9000 switches and Nexus 7000 on release 8.1+, do not grant extra privileges but still allow an admin to hide the execution of shell commands.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Attacks & Mitigation

In April 2024, the Cisco Product Security Incident Response Team (PSIRT) identified active exploitation of this vulnerability.

Cybersecurity firm Sygnia attributed these attacks to Velvet Ant, a Chinese state-sponsored threat actor, which used the flaw to deploy custom malware on compromised devices.

The malware enables remote connection, file upload, and malicious code execution without triggering system syslog messages, effectively concealing the attack.

Cisco offers the Cisco Software Checker tool to determine exposure and find the appropriate software updates.

This tool identifies impacted software releases and the earliest fixed versions, accessible on the Cisco Software Checker page.

Organizations using affected Cisco products should prioritize applying the necessary patches and continuously monitor their network for any signs of compromise.

Cisco has released patched NX-OS versions addressing the vulnerability and advises customers to upgrade as soon as possible.

No workarounds are available—the company credits cybersecurity firm Sygnia for reporting the flaw.

Network administrators should review the detailed advisory, determine their exposure via the Cisco Software Checker tool, and plan their upgrades as there is no workaround for this vulnerability.

Regularly changing admin credentials is also recommended as a best practice. Cisco TAC and support partners are available to assist customers as needed.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles