Cisco Security Alert: Enterprise Switches Vulnerable to Attackers, No Updates Available

A Cisco security alert warns of a high-severity vulnerability in its Nexus 9000 series switches that could allow unauthenticated attackers to intercept and modify traffic.

Tracked as CVE-2023-20185, this vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches. An attacker with an on-path position between the application centric infrastructure (ACI) sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption.

Cisco sent us the following statement:

“Cisco is committed to transparency. When security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it. On July 5, Cisco published a security advisory disclosing a vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode that could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic. Customers currently using the Cisco ACI Multi-Site CloudSec encryption feature on select Nexus Series Switches and Line Cards are advised to disable this feature and to contact their Cisco support organization to evaluate alternative options. Please refer to the security advisory for additional detail.”

Cisco has not released software updates that address this vulnerability. In addition, there are no workarounds that address this vulnerability.

Vulnerability a ‘Significant Issue’

John Bambenek, principal threat hunter at Netenrich, said he’s not sure he’s ever seen a vendor say there are no updates, and that they should unplug the device and find another product instead.

Netenrich’s John Bambenek

“Being able to intercept and decrypt (and potentially modify traffic) is a significant issue, especially in data centers where sensitive data is stored and accessed,” he said. “For Cisco to tell its customers to disable the device tells me all I need to know about the severity of this vulnerability and I would advise anyone to contact support to figure out how to move forward.”

Phil Neray, vice president of cyber defense strategy at CardinalOps, said the advisory is “deliberately vague” about the weakness in Cisco’s encryption algorithm that would allow an adversary to read or modify the traffic.

CardinalOps’ Phil Neray

“It is a serious issue because it enables adversaries to access sensitive data as well as move laterally across the network,” he said. “Cisco recommends disabling the feature and contacting support to evaluate alternative options, which are also not described in order to prevent adversaries from exploiting them as well.”