VULNERA Pulse

Cisco — NX-OS

CVE-2024-20399 / Added: July 2, 2024

MEDIUM CVSS 6.70 EPSS Score 0.25 EPSS Percentile 65.55

Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute commands as root on the underlying operating system of an affected device.

Headlines

• July 8, 2024 - CISA adds Cisco NX-OS Command Injection bug to its Known Exploited Vulnerabilities catalog
• July 7, 2024 - newsletter Round 479 by Pierluigi Paganini – INTERNATIONAL EDITION
• July 2, 2024 - Patch Now: Cisco Zero-Day Under Fire From Chinese APT
• July 2, 2024 - Cisco Patches Zero-Day Bug Used by Chinese Velvet Ant Group
• July 2, 2024 - China-linked APT exploited Cisco NX-OS zero-day to deploy custom malware
• July 2, 2024 - Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware
• July 1, 2024 - Cisco warns of NX-OS zero-day exploited to deploy custom malware
• July 1, 2024 - CVE-2024-20399: Cisco NX-OS Zero-Day Vulnerability Under Active Attack

Back to top ↑

CVE-2024-2973

CRITICAL CVSS 10.00 EPSS Score 0.09 EPSS Percentile 39.30

Actively Exploited Remote Code Execution

Published: June 27, 2024

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue affects: Session Smart Router:  * All versions before 5.6.15,  * from 6.0 before 6.1.9-lts,  * from 6.2 before 6.2.5-sts. Session Smart Conductor:  * All versions before 5.6.15,  * from 6.0 before 6.1.9-lts,  * from 6.2 before 6.2.5-sts.  WAN Assurance Router:  * 6.0 versions before 6.1.9-lts,  * 6.2 versions before 6.2.5-sts.

Quotes

• Only Routers or Conductors that are running in high-availability redundant configurations are affected by this vulnerability
• An authentication bypass using an alternate path or channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device
• An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device

Headlines

• July 1, 2024 - Juniper Rushes Out Emergency Patch for Critical Smart Router Flaw
• July 1, 2024 - Emergency patches now available for Juniper Networks routers
• July 1, 2024 - Juniper Networks fixed a critical authentication bypass flaw in some of its routers
• July 1, 2024 - Juniper Networks Releases Critical Security Update for Routers
• June 30, 2024 - Juniper releases out-of-cycle fix for max severity auth bypass flaw

CVE-2024-38366

CRITICAL CVSS 10.00 EPSS Score 0.04 EPSS Percentile 15.82

Remote Code Execution Public Exploits Available

Published: July 1, 2024

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

Quotes

• The impact of this is enormous
• We found that the server will accept a spoofed XFH header and use it explicitly to construct a URL sent to the client for verifying the session
• Any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications

Headlines

• July 2, 2024 - 'Almost every Apple device' vulnerable to CocoaPods
• July 1, 2024 - Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks
• July 1, 2024 - Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

CVE-2023-2071

CRITICAL CVSS 9.80 EPSS Score 0.07 EPSS Percentile 32.57

Remote Code Execution

Published: Sept. 12, 2023

Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.  By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

Vendor Impacted: Rockwellautomation

Products Impacted: Factorytalk View, Panelview Plus

Quotes

• The [remote code execution] vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device
• A CIP node is modeled as a collection of Objects. (…) A Class is a set of Objects that all represent the same kind of system component. An Object Instance is the actual representation of a particular Object within a Class
• FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files

Headlines

• July 5, 2024 - Microsoft discloses 2 flaws in Rockwell Automation PanelView Plus
• July 4, 2024 - Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus
• July 3, 2024 - Microsoft Uncovers Major Flaws in Rockwell PanelView Plus
• July 2, 2024 - Vulnerabilities in PanelView Plus devices could lead to remote code execution |

CVE-2024-0769

CRITICAL CVSS 9.80 EPSS Score 0.21 EPSS Percentile 59.53

Actively Exploited Remote Code Execution

Published: Jan. 21, 2024

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Vendor Impacted: Dlink

Products Impacted: Dir-859 Firmware, Dir-859

Quotes

• It is unclear at this time what the intended use of this disclosed information is, it should be noted that these devices will never receive a patch
• By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices
• GreyNoise observed a slight variation in-the-wild which leverages the vulnerability to render a different PHP file to dump account names, passwords, groups, and descriptions for all users of the device. At the time of writing we are not aware of the motivations to disclose/collect this information and are actively monitoring it

Headlines

• July 2, 2024 - Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware
• July 1, 2024 - Threat actors actively exploit D-Link DIR-859 router flaw
• June 29, 2024 - Hackers exploit critical D-Link DIR-859 router flaw to steal passwords

CVE-2024-38368

CRITICAL CVSS 9.30 EPSS Score 0.04 EPSS Percentile 15.77

Risk Context N/A

Published: July 1, 2024

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.

Quotes

• The impact of this is enormous
• We found that the server will accept a spoofed XFH header and use it explicitly to construct a URL sent to the client for verifying the session
• Any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications

Headlines

• July 2, 2024 - 'Almost every Apple device' vulnerable to CocoaPods
• July 1, 2024 - Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks
• July 1, 2024 - Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

CVE-2024-38367

HIGH CVSS 8.20 EPSS Score 0.04 EPSS Percentile 15.77

Risk Context N/A

Published: July 1, 2024

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.

Quotes

• The impact of this is enormous
• We found that the server will accept a spoofed XFH header and use it explicitly to construct a URL sent to the client for verifying the session
• Any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications

Headlines

• July 2, 2024 - 'Almost every Apple device' vulnerable to CocoaPods
• July 1, 2024 - Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks
• July 1, 2024 - Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

CVE-2024-6387

HIGH CVSS 8.10 EPSS Score 4.85 EPSS Percentile 92.81

Remote Code Execution Public Exploits Available

Published: July 1, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Vendors Impacted: Redhat, Freebsd, Openbsd, Netbsd, Canonical, Netapp, Debian, Suse, Amazon

Products Impacted: Enterprise Linux Server Aus, Enterprise Linux For Arm 64 Eus, Enterprise Linux Eus, Linux 2023, Freebsd, Linux Enterprise Micro, Ontap Tools, Enterprise Linux For Ibm Z Systems Eus, Debian Linux, Openshift Container Platform, Ubuntu Linux, Enterprise Linux For Arm 64, Netbsd, Enterprise Linux, Enterprise Linux For Power Little Endian, Enterprise Linux For Ibm Z Systems, Ontap Select Deploy Administration Utility, Enterprise Linux For Power Little Endian Eus, E-Series Santricity Os Controller, Openssh

Quotes

• The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems
• If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe
• This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access
• A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon

Headlines

• July 5, 2024 - Pseudo-exploit for CVE-2024-6387 aka regreSSHion
• July 4, 2024 - Cloud Software Group Security Advisory for CVE-2024-6387
• July 3, 2024 - Transatlantic Cable podcast, episode 354
• July 3, 2024 - CVE-2024-6387 Informational Bulletin: Impact of OpenSSH regreSSHion Vulnerability
• July 2, 2024 - CVE-2024-6387 aka regreSSHion – root cause, risks, mitigation
• July 1, 2024 - 'RegreSSHion' Bug Threatens Takeover of Millions of Linux Systems
• July 1, 2024 - Critical unauthenticated RCE flaw in OpenSSH server
• July 1, 2024 - Nasty regreSSHion bug affects around 700K Linux systems
• July 1, 2024 - New regreSSHion OpenSSH RCE bug gives root on Linux servers
• July 1, 2024 - Critical OpenSSH Flaw Enables Full System Compromise
• July 1, 2024 - New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems
• July 1, 2024 - CVE-2024-6387: Critical OpenSSH Unauthenticated RCE Flaw 'regreSSHion' Exposes Millions of Linux Systems

CVE-2006-5051

HIGH CVSS 8.10 EPSS Score 79.14 EPSS Percentile 98.30

Risk Context N/A

Published: Sept. 27, 2006

Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.

Vendors Impacted: Debian, Openbsd, Apple

Products Impacted: Mac Os X Server, Debian Linux, Openssh, Mac Os X

Quotes

• In our security analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006
• The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems
• If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe
• This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access
• A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon

Headlines

• July 4, 2024 - Cloud Software Group Security Advisory for CVE-2024-6387
• July 2, 2024 - CVE-2024-6387 aka regreSSHion – root cause, risks, mitigation
• July 1, 2024 - 'RegreSSHion' Bug Threatens Takeover of Millions of Linux Systems
• July 1, 2024 - Critical unauthenticated RCE flaw in OpenSSH server
• July 1, 2024 - Nasty regreSSHion bug affects around 700K Linux systems
• July 1, 2024 - New regreSSHion OpenSSH RCE bug gives root on Linux servers
• July 1, 2024 - Critical OpenSSH Flaw Enables Full System Compromise
• July 1, 2024 - New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems
• July 1, 2024 - CVE-2024-6387: Critical OpenSSH Unauthenticated RCE Flaw 'regreSSHion' Exposes Millions of Linux Systems

CVE-2024-20399

MEDIUM CVSS 6.70 EPSS Score 0.25 EPSS Percentile 65.55

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: July 1, 2024

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials.

Vendor Impacted: Cisco

Products Impacted: Nexus 3172tq, Nexus 9200yc, Nexus 9800, Nexus 92300yc, Nexus 3100v, Nexus 7000 18-Slot, Nexus 9516, Nexus 93128, Nexus 5010, Nexus 7000 4-Slot, Nexus 93180yc-Fx-24, Nx-Os, Nexus 7000, Nexus 9316d-Gx, Nexus 3200, Nexus 3232, Nexus 7009, Nexus 9372tx, Nexus 9500 Supervisor A, Mds 9134, Nexus 9804, Nexus 9332pq, Nexus 9364c-Gx, Nexus 3064t, Nexus 9716d-Gx, Nexus 9000 In Standalone, Nexus 93240yc-Fx2, Nexus 3400, Nexus 92348gc-X, Nexus 7000 Supervisor 2, Nexus 9000, Nexus 3464c, Nexus 3408-S, Nexus 5672up, Nexus 31108tc-V, Nexus 92160yc-X, Nexus 93180yc-Fx3, Mds 9216, Nexus 3548-X\/xl, Nexus 9536pq, Mds 9396t, Nexus 3132c-Z, Nexus 3600, Nexus 9272q, Nexus 9500 16-Slot, Nexus 9332d-H2r, Nexus 9000 In Aci Mode, Nexus 93108tc-Fx3p, Nexus 7710, Nexus 9336c-Fx2-E, Nexus 9808, Nexus 5648q, Nexus 31108pv-V, Nexus 93108tc-Fx-24, Mds 9216a, Nexus 9504, Nexus 93180tc-Ex, Nexus 9336pq Aci Spine, Nexus 9200, Nexus 93180yc-Ex, Nexus 9396tx, Mds 9148t, Nexus 3132q-X, Nexus 93180yc-Ex-24, Nexus 9372tx-E, Nexus 5548p, Nexus...

Quotes

• Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant
• In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild
• By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices
• This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command

Headlines

• July 2, 2024 - Patch Now: Cisco Zero-Day Under Fire From Chinese APT
• July 2, 2024 - Cisco Patches Zero-Day Bug Used by Chinese Velvet Ant Group
• July 2, 2024 - China-linked APT exploited Cisco NX-OS zero-day to deploy custom malware
• July 2, 2024 - Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware
• July 1, 2024 - Cisco warns of NX-OS zero-day exploited to deploy custom malware
• July 1, 2024 - CVE-2024-20399: Cisco NX-OS Zero-Day Vulnerability Under Active Attack

CVE-2008-4109

MEDIUM CVSS 5.00 EPSS Score 7.61 EPSS Percentile 94.19

Risk Context N/A

Published: Sept. 18, 2008

A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.

Vendors Impacted: Openbsd, Debian

Products Impacted: Linux, Openssh

Quotes

• The vulnerability, which is a signal handler race condition in OpenSSH's server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems
• If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe

Headlines

• July 1, 2024 - Nasty regreSSHion bug affects around 700K Linux systems
• July 1, 2024 - New regreSSHion OpenSSH RCE bug gives root on Linux servers
• July 1, 2024 - Critical OpenSSH Flaw Enables Full System Compromise
• July 1, 2024 - New OpenSSH Vulnerability Could Lead to RCE as Root on Linux Systems