Owners of Cisco switches should likely apply the patch recently released for a vulnerability that was exploited as a zero-day to install malware on a series of Cisco’s Nexus switches in April.
On paper, CVE-2024-20399 doesn’t seem like the worst thing in the world. It’s a command injection bug, which is usually a serious problem, but it only has an average severity rating of 6.0. So it should come as no surprise that the regreSSHion vulnerability we discussed yesterday received more attention from infosec professionals, despite being disclosed the same day.
The vulnerability was discovered by researchers at Sygnia who reported it to Cisco, and the pair jointly disclosed the bug on Monday. Sygnia discovered the vulnerability as part of a broader look at Velvet Ant, a group it has been tracking for some time and believes has ties to Beijing. Cisco did not provide specific attribution, however.
According to Cisco, this vulnerability resides in the CLI of Cisco NX-OS, the operating system for the Nexus series of switches, and could allow authenticated, local attackers to execute arbitrary commands as root.
“This vulnerability exists due to insufficient validation of arguments passed to specific configuration CLI commands,” Cisco said in its advisory. “An attacker could exploit this vulnerability by including crafted input as an argument to an affected configuration CLI command.”
Granted, to be successful, an attacker would need to have administrative privileges, making the vulnerability significantly harder to exploit. But as Velvet Ant shows, it is certainly possible and can lead to the deployment of nasty malware.
Sygnia discovered the vulnerability after discovering successful exploits of CVE-2024-20399 in April. Velvet Ant was able to exploit it as a zero-day in April and use it to drop remote access malware onto the switch, which was used to upload additional files and execute code, but Sygnia did not provide details.
While neither Sygnia nor Cisco detailed what malware was used in the attack, the researchers did look at Velvet Ant’s activities in general in their separate blog post, potentially providing insight into the company’s typical modus operandi.
Published in June, Sygnia’s other blog noted that the group dropped ShadowPad and PlugX malware families into its attacks. PlugX has been used by China-nexus groups since 2008, Sygnia said, but ShadowPad is a newer tool on the scene, first appearing in 2015.
PlugX is just a simple remote access trojan (RAT), while ShadowPad is a powerful malware platform that allows users to purchase additional modules. It has supported the operations behind the supply chain attacks on CCleaner, ASUS and NetSarang, according to security retailer SentinelOne.
In one attack Sygnia analyzed, researchers said the espionage-focused attackers targeted network devices, were “extremely persistent,” and remained within the network for approximately three years despite “multiple” attempts to remove them during that time.
If one pedestal was locked, the attackers would repeatedly find others. In one case, they used an internet-exposed legacy F5 BIG-IP box for their internal C2, but they had many more up their sleeve.
Get fixed
At the time of writing, Cisco’s advisory lists the following products as affected by CVE-2024-20399, if they run a vulnerable version of NX-OS:
-
MDS 9000 Series Multi-Level Switches
-
Nexus 3000 Series Switches
-
Nexus 5500 Platform Switches
-
Nexus 5600 Platform Switches
-
Nexus 6000 Series Switches
-
Nexus 7000 Series Switches
-
Nexus 9000 Series Switches in Standalone NX-OS Mode
Patches are now available and should be applied as soon as possible, despite the significant roadblocks that prevent their successful use.
As mentioned earlier, an attacker would need to obtain admin credentials. This is not an easy task, but a master phisher or a good party that can take advantage of the abundant data broker marketplace can do it.
It is likely that an attacker would also need to exploit another vulnerability to attack the device, since CVE-2024-20399 can only be exploited remotely and Nexus series switches are not often connected to the internet anyway.
“Despite the significant requirements for exploiting the discussed vulnerability, this incident demonstrates the tendency of advanced threat groups to use network devices – which are often not sufficiently protected and monitored – to maintain persistent network access,” Sygnia said.
“The incident also underscores the importance of following best security practices to protect against these types of threats.” ®