Cisco has patched a critical zero-day vulnerability in its NX-OS software. The patched Cisco zero-day vulnerability was exploited in April attacks to install previously unknown malware as root on vulnerable switches. The cybersecurity firm Sygnia, which reported the incidents to Cisco, attributed the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant. "The vulnerability was identified as part of a larger forensic investigation performed by Sygnia of a China-nexus cyber espionage operation that was conducted by a threat actor Sygnia dubs as ‘Velvet Ant’," reads Sygnia's official statement.

Cisco Zero-Day Vulnerability Overview

The patched Cisco zero-day vulnerability, identified as CVE-2024-20399, is a command injection flaw in the Cisco NX-OS Software Command Line Interface (CLI). This vulnerability affects a wide range of Cisco Nexus devices. On July 1, Cisco published an advisory detailing the nature and scope of the vulnerability, which allows attackers with valid administrator credentials to execute arbitrary commands on the underlying Linux operating system of the affected devices. "Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability," reads Cisco's official statement. Sygnia discovered this vulnerability during a forensic investigation of a China-nexus cyber espionage operation conducted by Velvet Ant. The investigation revealed that the threat actor had exploited the zero-day vulnerability to execute malicious code on the underlying OS of the Nexus switches. Velvet Ant's exploitation of CVE-2024-20399 enabled the execution of custom malware on compromised Cisco Nexus devices. This malware facilitated remote connections to the devices, allowing the attackers to upload additional files and execute further code. Network appliances, particularly switches, often go unmonitored, and their logs are rarely forwarded to a centralized logging system, making it challenging to detect and investigate such malicious activities. "This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," informed Sygnia.

Background on Cisco NX-OS

Cisco NX-OS Software is a network operating system used for Cisco’s Nexus series of switches. Although NX-OS is based on a Linux kernel, it abstracts the underlying Linux environment and provides its own set of commands via the NX-OS CLI. To execute commands on the underlying Linux OS from the switch management console, an attacker would need a "jailbreak" type of vulnerability to escape the NX-OS CLI context. The newly identified vulnerability allows attackers with administrator-level access to the Switch management console to escape the NX-OS CLI and execute arbitrary commands on the underlying Linux OS.

Impact and Risk Assessment

Cisco Nexus switches are widely deployed in enterprise environments, particularly in data centers. Exploiting the identified vulnerability requires the threat group to possess valid administrator-level credentials and have network access to the Nexus switch. Given that most Nexus switches are not directly exposed to the internet, attackers must first achieve initial access to an organization’s internal network to exploit this vulnerability. This reduces the overall risk to organizations, but the incident highlights the importance of monitoring and protecting network appliances.

Mitigation Strategies

Cisco has released software updates to address the vulnerability described in the advisory. Updating affected devices is the primary mitigation strategy. However, when software updates are not immediately available, it is crucial to adopt security best practices to prevent unauthorized access and mitigate potential exploitation. These practices include:

1. Restrict Administrative Access: Utilize Privileged Access Management (PAM) solutions or dedicated, hardened jump servers with multi-factor authentication (MFA) to restrict access to network equipment. If these options are not feasible, restrict access to specific network addresses.
2. Centralize Authentication, Authorization, and Accounting Management (AAA): Use TACACS+ and systems like Cisco ISE to streamline and enhance security. Centralized user management simplifies monitoring, password rotation, and access reviews, and allows for quick remediation in case of a compromise.
3. Enforce Strong Password Policies: Ensure that administrative users have complex, securely stored passwords. Use Privileged Identity Management (PIM) solutions to auto-rotate administrative account passwords or employ a password vault with restricted access.
4. Restrict Outbound Internet Access: Implement strict firewall rules and access control lists (ACLs) to prevent switches from initiating outbound connections to the internet.
5. Implement Regular Patch and Vulnerability Management: Regularly review and apply patches to all network devices. Use automated tools to identify and prioritize vulnerabilities.

"When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers," urges Cisco.

Monitoring and Detection

Enhancing visibility and forwarding logs to a central logging solution are crucial steps in identifying malicious activities on network devices. Organizations should:

• Enable Syslog on all switches to send log data to a centralized server.
• Integrate switch logs with a Security Information and Event Management (SIEM) system to correlate events and detect anomalies.
• Configure alerts to identify suspicious activities, such as unauthorized SSH connections.
• Regularly analyze network traffic for anomalies associated with Cisco switches, focusing on management ports like SSH and Telnet.

The exploitation of CVE-2024-20399 by Velvet Ant highlights the persistent and evolving threats posed by state-sponsored cyber actors.  Cisco’s timely patching of the vulnerability and Sygnia’s detailed forensic investigation provide crucial insights into mitigating such threats.