No rest for the wiry as Cisco Nexus switches flip out over latest zero-day

Command injection bug being abused by suspected Chinese spies – patch up

Cisco switch owners should probably apply the patch that just dropped for a vulnerability that was exploited in April as a zero-day to install malware on an array of its Nexus switches.

On paper, CVE-2024-20399 doesn't seem like the worst thing in the world. It is a command injection bug, typically a serious issue, but it has only a moderate severity rating of 6.0. So it might not come as a surprise that the regreSSHion vulnerability we covered yesterday got more attention from infosec pros, despite being disclosed the same day.

The vulnerability was found by researchers at Sygnia who reported it to Cisco and the pair disclosed the bug together on Monday. Sygnia found the vulnerability as part of a wider look at Velvet Ant, a group it has been tracking for a while and believes to have ties to Beijing. However, Cisco did not make a specific attribution.

Cisco says this vulnerability lies in the CLI of Cisco NX-OS, the operating system for its Nexus-series switches, and allows authenticated, local attackers to execute arbitrary commands as root.

"This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands," said Cisco in its advisory. "An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command."

Granted, to be successful an attacker must have admin privileges, which makes the vulnerability considerably less exploitable, but as shown by Velvet Ant, it's definitely possible and can lead to the deployment of some nasty malware.

Sygnia uncovered the vulnerability after spotting successful exploits of CVE-2024-20399 in April. Velvet Ant was able to exploit it as a zero-day in April and use it to drop some remote access malware onto the switch, which was used to upload additional files and execute code, neither of which Sygnia detailed at all.

While neither Sygnia nor Cisco described the kind of malware used in the attack, the researchers' separate blog looked at Velvet Ant activity more generally, potentially offering some insight into its typical ways of working.

Published in June, Sygnia's other blog noted that the group dropped ShadowPad and PlugX malware families in their attacks. PlugX has been used by China-nexus groups since 2008, Sygnia said, but ShadowPad is a newer tool on the scene, first cropping up in 2015.

PlugX is just a simple remote access trojan (RAT), while ShadowPad is a powerful malware platform that allows users to purchase additional modules. It has underpinned the operations behind the supply chain attacks on CCleaner, ASUS, and NetSarang, so says security shop SentinelOne.

In the single attack Sygnia analyzed, the researchers said the espionage-focused attackers targeted network devices, were "extremely persistent," and remained inside the network for roughly three years despite "several" attempts to remove them during that time.

If one foothold was closed off, the attackers repeatedly found others. In one case, they used an internet-exposed legacy F5 BIG-IP box for their internal C2, but they had many more up their sleeves.

Get fixy

At the time of writing, Cisco's advisory lists the following products as being affected by CVE-2024-20399, should they be running a vulnerable version of NX-OS:

  • MDS 9000 series multilayer switches

  • Nexus 3000 series switches

  • Nexus 5500 platform switches 

  • Nexus 5600 platform switches 

  • Nexus 6000 series switches 

  • Nexus 7000 series switches 

  • Nexus 9000 series switches in standalone NX-OS mode

Patches are out now and should be applied at the earliest convenience, despite the significant blockades to successful exploitation.

As already mentioned, an attacker would need to get hold of some admin credentials, which wouldn't be the easiest task but could feasibly be carried out by a master phisher or by utilizing the bountiful data broker marketplace.

It's likely that an attacker would also need to exploit another vulnerability to get an initial foothold on the device, since CVE-2024-20399 is only exploitable remotely and Nexus-series switches aren't often exposed to the internet anyway.

"Despite the substantial pre-requisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected and monitored – to maintain persistent network access," said Sygnia.

"The incident also underscores the critical importance of adhering to security best practices as a mitigation against this type of threat." ®

More about


Send us news

Other stories you might like