CVE-2024-20399
Published: 01 July 2024
Summary
CVE-2024-20399 is a medium-severity OS Command Injection (CWE-78) vulnerability in Cisco Nx-Os. Its CVSS base score is 6.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 28.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the CLI of Cisco NX-OS Software allows an authenticated user possessing Administrator credentials to execute arbitrary commands as root on the underlying operating system. The issue stems from insufficient validation of arguments supplied to specific configuration CLI commands and is tracked as CWE-78. It affects multiple Cisco Nexus switch platforms running vulnerable NX-OS releases, although the listed Nexus 3000, 7000 (8.1(1) and later), and 9000 standalone devices already permit administrative users to reach the underlying OS via the bash-shell feature and therefore receive no additional capability from this flaw. The CVSS 3.1 base score is 6.0 with the vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N.
An attacker must already hold Administrator credentials on an affected device. By supplying crafted input to an impacted configuration command, the attacker can run arbitrary commands on the host OS with root privileges. On devices that do not expose the bash-shell feature by default, this constitutes an escalation from CLI-restricted administrative access to full root control of the underlying system.
The Cisco Security Advisory cisco-sa-nxos-cmd-injection-xD9OhyOP describes the vulnerability and provides fixed software releases. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild use.
Public reporting attributes exploitation of the issue to the China-nexus threat group Velvet Ant. The EPSS score rose from a low baseline to a peak of 0.0225 on 2024-07-03 shortly after disclosure before receding to the current value of 0.0066, indicating a transient increase in observed exploitation interest following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18114
Vulnerability details
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated user in possession of Administrator credentials to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient…
more
validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. The following Cisco devices already allow administrative users to access the underlying operating system through the bash-shell feature, so, for these devices, this vulnerability does not grant any additional privileges: Nexus 3000 Series Switches Nexus 7000 Series Switches that are running Cisco NX-OS Software releases 8.1(1) and later Nexus 9000 Series Switches in standalone NX-OS mode
- CWE(s)
- KEV Date Added
- 02 July 2024
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-20399 enables authenticated admins to inject crafted arguments into NX-OS CLI commands for arbitrary root command execution on the underlying Linux OS, facilitating Network Device CLI abuse (T1059.008), Unix Shell execution (T1059.004), and privilege escalation from admin to root (T1068).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the insufficient argument validation (CWE-78) in CLI commands that permits crafted input to achieve root command execution.
Limits the privileges granted to Administrator accounts so that even successful exploitation cannot yield unrestricted root access on the underlying OS.
Restricts available CLI commands and features to only those required, reducing the attack surface of vulnerable configuration commands on affected NX-OS devices.