Cisco has patched a command-line injection flaw in a network management platform used to manage switches in data centers, which, according to researchers from Sygnia, already has been exploited by the China-backed threat group known as Velvet Ant.
The bug can allow authenticated attackers to execute arbitrary command as root on the underlying operating system of an affected device.
It's found in the command line interface of Cisco NX-OS Software, which allows data center operations managers to troubleshoot and perform maintenance operations on NX-OS-enabled devices, which use the Linux kernel at their core.
The flaw involves a bash-shell feature that's available on all supported Cisco NX-OS Software releases for Cisco Nexus series switches and some other products, according to Cisco.
If a device is running a Cisco NX-OS Software release that does not support the bash-shell feature, a user with admin privileges could exploit this vulnerability to execute arbitrary commands on the underlying OS. If a device is running a Cisco NX-OS Software release that supports the bash-shell feature, an admin user can access the underlying OS directly using the feature.
Cisco has released updates that patch the flaw in the affected devices, it said.
Because an attacker must have admin credentials to exploit CVE-2024-20399, the flaw is rated only medium risk - but even so, it's already being exploited, so patching it should take priority.
Velvet Ant Swarms on CVE-2024-20399 Indeed, the 6.0 CVSS rating didn't stop Velvet Ant from exploiting the flaw to execute arbitrary commands on the underlying Linux OS of a Cisco Nexus switch by using valid administrator credentials to the Switch management console, according to a blog post by the Sygnia team.
NX-OS is based on a Linux kernel; however, it abstracts away the underlying Linux environment and provides its own set of commands using the NX-OS CLI, according to the post.
Hopping on Cisco flaws is a favorite pastime of nation-state cyberattackers: For example, an unrelated attack campaign dubbed ArcaneDoor identified in April also targeted Cisco devices to deliver two custom-built backdoors by exploiting zero-day flaws to target the perimeter of government networks within a global cyber-espionage campaign.
Patch Now & Mitigate Further Cisco Vuln Risk Cisco Nexus switches are prevalent in enterprise environments, especially within data centers, and aren't typically exposed to the Internet.
Gaining valid admin-level credentials and network access to those devices is an attractive proposition for advanced persistent threats like Velvet Ant, which tend to target unguarded switches and other network appliances to achieve persistence and execute commands during cyberattacks, according to Sygnia.
That means affected organizations should follow Cisco's instructions for patching any vulnerable devices present on a network.
Organizations can use Cisco's Software Checker to see if their environments are vulnerable.
These recommendations include restricting administrator access to network equipment by using a privileged access management solution or a dedicated, hardened, jump server with multifactor authentication enforced.
Organizations also can use central authentication, authorization, and accounting management for users to help streamline and enhance security, especially in environments with numerous switches.
Network administrators also should restrict switches from initiating outbound connections to the Internet to reduce the risk of them being exploited by external threats, or used to communicate with malicious actors.
Finally, as a general rule, organizations also should enforce a strong password policy and maintain good password hygiene so passwords don't fall into the wrong hands, according to Sygnia, as well as maintain regular patch schedules to update devices and avoid leaving them vulnerable.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 02 Jul 2024 13:20:06 +0000