Cisco warns of bug that lets attackers break traffic encryption
Cisco warned customers today of a high-severity vulnerability impacting some data center switch models and allowing attackers to tamper with encrypted traffic.
Tracked as CVE-2023-20185, the flaw was found during internal security testing in the ACI Multi-Site CloudSec encryption feature of data center Cisco Nexus 9000 Series Fabric Switches.
The vulnerability only impacts Cisco Nexus 9332C, 9364C, and 9500 spine switches (the last ones equipped with a Cisco Nexus N9K-X9736C-FX Line Card) only if they are in ACI mode, are part of a Multi-Site topology, have the CloudSec encryption feature enabled, and are running firmware 14.0 and later releases.
Successful exploitation allows unauthenticated attackers to read or modify intersite encrypted traffic exchanged between sites remotely.
"This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches," Cisco said.
"An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption."
No patch and no signs of active exploitation
Cisco has not yet issued software updates to resolve the CVE-2023-20185 vulnerability. Customers using affected data center switches are advised to turn off the vulnerable feature and seek guidance from their support organization to explore alternative solutions.
To find out if CloudSec encryption is being used across an ACI site, go to Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity on the Cisco Nexus Dashboard Orchestrator (NDO) and check if "CloudSec Encryption" is marked as "Enabled."
To check whether CloudSec encryption is enabled on a Cisco Nexus 9000 Series switch, run the show cloudsec sa interface all command via the switch command line. If it returns 'Operational Status' for any interface, CloudSec encryption is toggled on.
The company's Product Security Incident Response Team (PSIRT) is yet to find evidence of public exploit code targeting the bug or that the flaw has been exploited in attacks.
In May, it also addressed four critical remote code execution flaws with public exploit code affecting multiple Small Business Series Switches.
Cisco is also working on patching a cross-site scripting (XSS) bug in the Prime Collaboration Deployment (PCD) server management tool, reported by Pierre Vivegnis of NATO's Cyber Security Centre (NCSC).