Cisco NX-OS Software Vulnerability: Arbitrary Command Execution as Root
CVE-2024-20399

6MEDIUM

Key Information:

Vendor

Cisco
Status
Cisco Nx-os Software
Vendor
CVE Published:
1 July 2024

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2024-20399?

The vulnerability CVE-2024-20399 affects Cisco NX-OS Software and allows an authenticated, local attacker to execute arbitrary commands as root on the affected device. This is a command injection vulnerability with a CVSS risk score of 6.0, and it has been exploited by the Chinese hacker group Velvet Ant for network espionage activities. The vulnerability affects a wide range of Cisco Nexus products and requires the attacker to have Administrator credentials. Cisco has released new software to patch the vulnerability and urges IT professionals to apply the update promptly to mitigate the risk. The exploit of this vulnerability allows the attacker to remotely access Nexus devices and execute malicious code, potentially leading to data breaches and further attacks.

CISA has reported CVE-2024-20399

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-20399 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Cisco NX-OS Software 8.2(5)

Cisco NX-OS Software 7.3(6)N1(1a)

Cisco NX-OS Software 7.3(5)D1(1)

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-20399
Created by HORKimhab

News Articles

favicon imageThe Hacker News

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Sygnia says Velvet Ant modified Linux PAM and OpenSSH components to steal credentials and maintain stealthy access since 2016.

3 weeks ago

favicon imageCyberWire

Hackers target recently disclosed LiteSpeed Cache vulnerability.

Halliburton sustains cyberattack. Chinese threat actor exploited Cisco zero-day.

favicon imageSC Media

Zero-day Cisco switch bug being exploited by cyber actors

The flaw, tracked as CVE-2024-20399 with a CVSS score of 6.0, allows attackers with valid admin credentials to bypass the NX-OS command line interface and execute arbitrary commands on the underlying Linux OS.

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

.