Cisco Nexus 9000 Users Must Disable Encryption to Dodge Vuln
There is no workaround or patch for a high-severity vulnerability—and none will be forthcoming—in Cisco’s Nexus 9000 series switches. The vulnerability opens up the landscape to unauthenticated attackers itching to intercept and modify network traffic.
“This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches,” Cisco said in an advisory on CVE-2023-20185.
“An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption,” the company said. “A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites.”
The vulnerability affects those Cisco Nexus 9000 Series Fabric Switches in ACI mode running releases 14.0 and later that are part of a multi-site topology and with CloudSec encryption feature enabled.
“The advisory is deliberately vague about the weakness in Cisco’s encryption algorithm that would allow an adversary to read or modify the traffic,” said Phil Neray, vice president of cyber defense strategy, CardinalOps.
“This is a serious issue, because it enables adversaries to access sensitive data as well as move laterally across the network,” said Neray. “Cisco recommends disabling the feature and contacting support to evaluate alternative options, which are also not described to prevent adversaries from exploiting them as well.”
However, “given the limited information available at the moment, it appears that the vulnerability would be difficult to exploit—but, if successful, an attacker would gain unencrypted access to otherwise secure network traffic,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
Cisco is advising users who have the Cisco ACI Multi-Site CloudSec encryption feature engaged for the Cisco Nexus 9332C and Nexus 9364C Switches and the Cisco Nexus N9K-X9736C-FX Line Card to disable the feature and “contact their support organization to evaluate alternative options, such as performing encryption on the underlying site-to-site connections,” the advisory said. “There are no alternatives that provide full encryption for data in transit between sites on current ACI Spine Switches hardware.”
While disabling the affected Nexus 9000 switches “may cause operational disruptions and impact network functionality, it is a proactive measure aimed at mitigating potential risks until an official patch becomes available,” said Callie Guenther, cyber threat research senior manager at Critical Start.
That Cisco is not offering an update has security pros puzzled. “I’m not sure I’ve ever seen a vendor say there are no updates and that they should unplug the device and find another product instead,” said John Bambenek, principal threat hunter at Netenrich.
“Being able to intercept and decrypt (and potentially modify traffic) is a significant issue, especially in data centers where sensitive data is stored and accessed,” said Bambenek. “For Cisco to tell its customers to disable the device tells me all I need to know about the severity of this vulnerability—I would advise anyone to contact support to figure out how to move forward.”
Noting that “Cisco has not released patches to address this vulnerability, and it is yet to be officially listed by databases like MITRE and NIST,” Guenther said, “While the absence of patches and official listings may raise concerns, it is important to understand that addressing vulnerabilities of this nature involves complex processes, coordination and testing.”
She left open the possibility that “the delay in releasing a fix may be due to the intricacies involved in developing an effective solution rather than negligence on Cisco’s part.”
