Cisco has issued a security advisory warning about a high-severity vulnerability affecting specific data center switch models. The vulnerability, tracked as CVE-2023-20185 specifically targets the Cisco ACI Multi-Site CloudSec encryption feature on Cisco Nexus 9000 Series Fabric Switches. Attackers can exploit this flaw to tamper with encrypted traffic, potentially compromising data integrity and confidentiality.
Vulnerability Details:
The vulnerability impacts Cisco Nexus 9332C, 9364C, and 9500 spine switches operating in ACI mode, participating in a Multi-Site topology, and enabling the CloudSec encryption feature. Devices running firmware versions 14.0 and later are also susceptible. The flaw allows unauthenticated attackers with an on-path position between ACI sites to intercept intersite encrypted traffic and use cryptanalytic techniques to read or modify the data.
Risk and Impact:
The vulnerability exposes the confidentiality and integrity of data transmitted between ACI sites. An attacker exploiting this flaw could gain unauthorized access to sensitive information or manipulate the data for malicious purposes. However, Cisco has no evidence of active exploitation or public exploit code targeting this vulnerability.
Affected Products:
The vulnerability affects Cisco Nexus 9000 Series Fabric Switches in ACI mode running releases 14.0 and later if they are part of a Multi-Site topology and have the CloudSec encryption feature enabled. Cisco Nexus 9332C, 9364C, and 9500 spine switches equipped with a Cisco Nexus N9K-X9736C-FX Line Card are specifically vulnerable. To determine whether CloudSec encryption is in use in an ACI site, choose Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity on the Cisco Nexus Dashboard Orchestrator (NDO) and check if CloudSec Encryption is marked Enabled.
Mitigation Steps:
Currently, Cisco has not released any software updates to address the vulnerability. To mitigate the risk, customers using affected switches are advised to disable the CloudSec encryption feature and seek guidance from their support organization for alternative solutions. Determining whether CloudSec encryption is enabled can be done through the Cisco Nexus Dashboard Orchestrator (NDO) or the appropriate command on the affected switch.
Conclusion:
The Cisco ACI Multi-Site CloudSec encryption vulnerability poses a significant risk to data center switch users. By exploiting this flaw, attackers could compromise the confidentiality and integrity of encrypted traffic between ACI sites. Although Cisco has not observed any active exploitation, affected organizations must take immediate action by disabling the vulnerable feature and exploring alternative options to ensure the security of their network infrastructure. Stay informed about future software updates from Cisco to address this vulnerability.
