July 2, 2024 at 09:22AM
Cisco has patched a command-line injection flaw (CVE-2024-20399, CVSS 6.0) in its NX-OS software, used for managing switches in data centers. The flaw can allow authenticated attackers to execute arbitrary commands as root. It has been exploited by the China-backed threat group Velvet Ant. Cisco has released updates to patch the affected devices.
Based on the meeting notes, the key takeaways are as follows:
1. Cisco has recently patched a command-line injection flaw (CVE-2024-20399, CVSS 6.0) in its network management platform, which had been exploited by the China-backed threat group known as Velvet Ant.
2. This vulnerability allows authenticated attackers to execute arbitrary commands as root on the underlying operating system of affected devices. It is found in the command line interface (CLI) of Cisco NX-OS Software used for troubleshooting and maintenance operations on NX-OS-enabled devices.
3. The flaw affects several Cisco devices, including MDS 9000 Series Multilayer Switches, Nexus series switches, and others. Cisco has already released updates to patch the flaw in these devices.
4. Velvet Ant exploited the flaw, leading to the execution of a custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.
5. Organizations are advised to prioritize patching the vulnerability, despite it being rated as medium risk, due to its exploitation by threat actors.
6. Security best practices recommended by Sygnia include restricting administrator access to network equipment, employing privileged access management (PAM) solutions, enforcing strong password policies, and maintaining regular patch schedules to update devices.
These are the clear takeaways from the meeting notes regarding the Cisco vulnerability and the actions recommended to mitigate the risk posed by the exploitation of the flaw.