Cisco logo

Cisco warns about actively exploited vulnerability in switches

A vulnerability in routers that could allow a local authenticated attacker to execute arbitrary commands as root is reportedly under active exploitation.

Cisco has issued a security advisory about a vulnerability in the command line interface (CLI) of Cisco NX-OS software, which could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. Cisco NX-OS Software is a network operating system specifically used for Cisco’s Nexus series of switches.

Even though an attacker needs administrator credentials to successfully exploit this vulnerability, there are reports of active exploitation.

There are no workarounds that address this vulnerability, but Cisco has released patches.

The following products are at risk, if they were running a vulnerable release of Cisco NX-OS Software:

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode

The vulnerability, listed as CVE-2024-20399, only received a CVSS score of 6.0 out of 10 because it requires administrator credentials, but security researchers claim that cybercriminals linked to the advanced persistent threat (APT) group “Velvet Ant” have been using the vulnerability as a zero-day since April.

With administrator credentials gathered via a different attack vector, the APT group managed to access Cisco Nexus switches. They used this access to deploy a customized malware, which enabled them to remotely connect to the compromised devices, upload more files, and execute malicious code.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of Known Exploited Vulnerabilities, which means that Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerabilities by July 23, 2024.

It is important to note that there is another factor that contributes to the severity of the vulnerability. It makes quite a difference whether the bash shell is enabled on the vulnerable devices or not. Bash is a versatile and powerful shell and scripting language that provides a way to interact with Unix-based operating systems. It allows users to execute commands, perform complex operations, and automate tasks.

Devices can be exploited whether they support bash or not, but if a device is running a Cisco NX-OS software release that supports bash, the exploit does not trigger syslog messages showing that the user executed the run bash command. This could help a user with administrator privileges hide the execution of shell commands on the device.

Since Velvet Ant has made a name for itself for being able to stay under the radar for years while spying on large corporate networks, it is likely it would prefer the last variant.

But now that the vulnerability is more widely known, other groups will certainly try to incorporate it in their attack chains.

Network peripherals, like routers, are an attractive target for ransomware groups and other cybercriminals looking for ways into networks. They usually provide means for further access since they are widely connected, they often have access to sensitive data, and because they usually run without human interaction they are sometimes overlooked in security.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.