On Wednesday, July 5th, Cisco warned its customers regarding a vulnerability affecting certain data center switch models, with a high-severity rating. Cisco reported that this particular bug allows attackers to tamper with the encrypted traffic.
In the published security advisory, the bug was assigned a CVSS score of 7.4, thus making it a high-vulnerability bug. Cisco also stated that the vulnerability was found during internal security testing. As of now, the bug was detected in the Cisco ACI Multi-Site CloudSec encryption feature present in the Cisco Nexus 9000 Series Fabric Switches (in ACI mode).
What does the bug do?
According to the Cisco security advisory (CVE-2023-20185), the bug can allow an unauthorized attacker to access, read, or modify encrypted traffic. Cisco stated:
“This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.”
The report further explained that an attacker could exploit the bug by intercepting intersite encrypted traffic, bypassing the said encryption using cryptanalytic techniques. However, the attacker must be in an on-path position between the ACI sites.
“A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites.”
Vulnerable devices: What will the bug affect?
The bug impacts Cisco Nexus 9332 C, 9364C, and 9500 spine switches (with a Cisco Nexus N9K-X9736C-FX Line Card). Cisco explained in the advisory on Monday that the switches must be in ACI mode and running firmware 14.0 or later for the bug to have an effect.
Further, switches should also be part of a Multi-Site topology and have the CloudSec encryption feature enabled to be considered vulnerable.
Here is a summary:
- Cisco Nexus 9000 Series Fabric Switches
- ACI mode must be enabled
- Switches should be running releases 14.0 or later
- Should be part of Multi-Site topology
- CloudSec encryption feature should be enabled.
Note: Cisco Nexus 9000 Series Switches in standalone NX-OS mode are not affected by the vulnerability.
How to check if the Cloudsec feature is enabled?
Here is how you can check if the CloudSec encryption is enabled in an ACI site. On the Cisco Nexus Dashboard Orchestrator (NDO):
- Select Infrastructure > Site Connectivity.
- Navigate through Configure > Sites > site-name > Inter-Site Connectivity.
- Check if the CloudSec encryption feature is enabled.
You can also verify this on a Cisco Nexus 9000 Series switch:
- Run the command: show cloudsec as interface all using the switch command line.
- Check the output.
- If Operational Status is returned, it means that the CloudSec encryption is enabled.
Source: Cisco
Vulnerability patch: What to do now?
There is no software update issued by Cisco regarding the bug under discussion. However, you can disable the Cisco ACI Multi-Site CloudSec encryption feature if you are using it on any of the vulnerable devices (or contact the support team for alternative options).
To quote Cisco:
“Customers who are currently using the Cisco ACI Multi-Site CloudSec encryption feature for the Cisco Nexus 9332 C and Nexus 9364C Switches and the Cisco Nexus N9K-X9736C-FX Line Card are advised to disable it and to contact their support organization to evaluate alternative options.”
Has there been a breach?
Cisco has also come out to clarify that the encryption feature bug has not been exploited and there is no evidence found that might support the claim. Cisco’s Product Security Incident Response Team (PSIRT) also tracked down no announcements that could hint at a potential exploit.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.”
In a nutshell
For now, Cisco has instructed customers to disable the encryption feature to avoid potential exploitations. The organization has not released any software updates to address this particular bug and has stated that there are no workarounds that address this vulnerability.
PureVPN
July 10, 2023
2 years ago
