Security Advisory: Critical Zero-Day Vulnerability in Cisco NX-OS Exploited by Velvet Ant Group

The cyber espionage group known as Velvet Ant, which is associated with China, is actively exploiting a zero-day vulnerability in Cisco NX-OS Software used in its switches. This vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), allows authenticated, local attackers to execute arbitrary commands as root on affected devices. The exploitation of this flaw enables Velvet Ant to deploy custom malware, allowing remote connectivity to compromised devices, upload additional files, and execute code.

Critical Zero-Day Vulnerability in Cisco NX-OS Exploited by Velvet Ant Group Technical Overview

• CVE-2024-20399: This vulnerability is a command injection flaw that arises from insufficient validation of arguments passed to specific configuration CLI commands in Cisco NX-OS Software. Exploitation requires the attacker to have administrator credentials and access to configuration commands.
• Affected Devices:
  • MDS 9000 Series Multilayer Switches
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode

Exploitation Impact:

• Remote Code Execution: Allows an attacker with administrator privileges to execute commands as root without triggering system syslog messages, effectively hiding their activities.
• Malware Deployment: Velvet Ant has used this vulnerability to deploy a custom malware that facilitates remote access and further exploits.

Background:

Velvet Ant has a history of targeting organizations, notably an unnamed East Asian organization, using outdated F5 BIG-IP appliances to steal customer and financial information over the past three years.

What We Suggest for the Critical Zero-Day Vulnerability in Cisco NX-OS Exploited by Velvet Ant Group Security Advisory

• Immediate Update:
  • Patch Affected Systems: Apply the latest software updates provided by Cisco to mitigate CVE-2024-20399. Refer to Cisco’s Security Advisory for detailed guidance on the affected products and fixed software versions.
• Credential Management:
  • Review and Rotate Credentials: Regularly update and monitor administrative credentials (network-admin and vdc-admin) to prevent unauthorized access.
  • Limit Access: Ensure that only necessary personnel have administrator privileges.
• Enhanced Monitoring:
  • Log Forwarding: Configure network appliances to forward logs to a centralized logging system for better visibility and monitoring.
  • Intrusion Detection: Implement intrusion detection systems to monitor and alert on suspicious activities, particularly around administrative command execution.