Cisco Warns of Bug That Lets Attackers Break Traffic Encryption
Cyber Security Threat Summary:
Yesterday, Cisco released an advisory warning its customers of an unpatched vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode that could be exploited by an unauthenticated remote attack to read or modify intersite encrypted traffic. Tracked as CVE-2023-20185, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Cisco, the vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches. An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites.”
Security Officer Comments:
CVE-2023-20185 impacts Cisco Nexus 9000 Series Fabric Switches in ACI mode that are running releases 14.0 and later if they are part of a Multi-Site topology and have the encryption feature enabled. As of writing, there are currently no workarounds to address this flaw. Until Cisco releases software updates, administrators should disable the vulnerable CloudSec encrypted feature and contact their organizations to evaluate alternative options.
Suggested Correction(s):
(Cisco) CloudSec encryption currently requires using Cisco Nexus 9332C or Cisco Nexus 9364C Fixed Spine Switches, or Cisco Nexus 9500 Spine Switches that are equipped with a Cisco Nexus N9K-X9736C-FX Line Card.
To determine whether CloudSec encryption is in use in an ACI site, choose Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity on the Cisco Nexus Dashboard Orchestrator (NDO) and check if CloudSec Encryption is marked Enabled.
To determine whether CloudSec encryption is in use on a Cisco Nexus 9000 Series Spine Switch, use the show cloudsec sa interface all command at the switch CLI. If the command returns Operational Status output for any interface, CloudSec encryption is enabled
Link(s):
https://www.bleepingcomputer.com/
https://sec.cloudapps.cisco.com/