Cisco has alerted its customers about a significant vulnerability found in some models of data center switches that could allow attackers to interfere with encrypted traffic. The vulnerability, identified as CVE-2023-20185, was discovered during internal security testing of the ACI Multi-Site CloudSec encryption feature in Cisco Nexus 9000 Series Fabric Switches.
The flaw affects Cisco Nexus 9332C, 9364C, and 9500 spine switches, but only if they are in ACI mode, are part of a Multi-Site topology, have the CloudSec encryption feature enabled, and are running firmware 14.0 and later releases. If successfully exploited, this vulnerability would allow unauthorized attackers to read or modify intersite encrypted traffic between sites remotely.
Cisco explained the issue, stating, "This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches." They further elaborated that an attacker positioned between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalysis techniques to break the encryption.
As of now, Cisco has not released any software updates to fix the CVE-2023-20185 vulnerability. The company advises customers using the affected data center switches to disable the vulnerable feature and contact their support organization for alternative solutions.
To determine if CloudSec encryption is active across an ACI site, users should navigate to Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity on the Cisco Nexus Dashboard Orchestrator (NDO) and check if "CloudSec Encryption" is listed as "Enabled." To verify whether CloudSec encryption is enabled on a Cisco Nexus 9000 Series switch, the command show cloudsec sa interface all should be run via the switch command line. If it returns 'Operational Status' for any interface, CloudSec encryption is switched on.
Cisco's Product Security Incident Response Team (PSIRT) has not yet found any evidence of public exploit code targeting the bug or the flaw being exploited in attacks. In addition to this, Cisco addressed four critical remote code execution flaws with public exploit code affecting multiple Small Business Series Switches in May. The company is also working on fixing a cross-site scripting (XSS) bug in the Prime Collaboration Deployment (PCD) server management tool, reported by Pierre Vivegnis of NATO's Cyber Security Centre (NCSC).