[CDP-development] TLP: Green (Zero-Day): CVE-2024-20399 - Cisco NX-OS Command Injection Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Jul 3 08:29:10 PDT 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-20399: Cisco NX-OS Command Injection Vulnerability. Due to its high visibility and its listing on CISA's Known Exploited Vulnerability database, we are providing this in-depth information:

History: On July 1, 2024, CVE-2024-20399: Cisco NX-OS Command Injection Vulnerability was released by the National Vulnerability Database (NVD). The vulnerability currently is assigned a CVSSv3 score of 6.7 (medium) Additionally, this vulnerability has been released by CISA through its Known Exploited Vulnerability Catalog on July 2, 2024.

Affected Versions:
*  MDS 9000 Series Multilayer Switches (CSCwj97007<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj97007>)
*  Nexus 3000 Series Switches (CSCwj97009<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj97009>)1
*  Nexus 5500 Platform Switches (CSCwj97011<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj97011>)
*  Nexus 5600 Platform Switches (CSCwj97011<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj97011>)
*  Nexus 6000 Series Switches (CSCwj97011<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj97011>)
*  Nexus 7000 Series Switches (CSCwj94682<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj94682>)2
*  Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj97009>)

Fixed Versions:

  *   Cisco recommends using their Cisco Software Checker tool to determine fixed versions of the NX-OS software for specific combinations of models and software releases. This tool can be found at https://sec.cloudapps.cisco.com/security/center/softwarechecker.x

Further information is available from Cisco as published in their Security Advisory:

  *   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP

Intelligence: As of June 2, 2024, the vulnerability has been confirmed as being exploited in the wild. The Chinese threat group known as Velvet Ant exploited a zero-day vulnerability, tracked as CVE-2024-20399, in Cisco NX-OS Software. According to a Sygnia's July 1, 2024 report, CVE-2024-20399 allowed attackers with administrator credentials to bypass security checks and execute commands on the underlying Linux operating system of Nexus switches.


Workarounds:  At this time there are no workarounds.

How it works: This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.

Post-Exploit: Upon successful exploitation, could allow an authenticated local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

As of July 1, 2024, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
201218<https://www.tenable.com/plugins/nessus/201218>
Cisco NX-OS Software CLI Comm Injection (cisco-sa-nxos-cmd-injection-xD9OhyOP)
Medium

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services


[cid:image001.png at 01DACD20.847BBBC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240703/51e5efe0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240703/51e5efe0/attachment-0001.png>

More information about the CDP-development mailing list