A high severity bug was reported by Cisco on Wednesday (5th July 2023) to be found in some of their data center’s switch models that allows threat actors to break into encrypted traffics.
The vulnerability with a reserved CVE-2023-20185, which is yet to be made public by nist.gov, was discovered during an internal security analysis in their ACI Multi-Site CloudSec Encryption feature of data Centre Cisco fabric Nexus 9000 switches, which is responsible in controlling both physical and virtual networks.
Image source: cisco
Security updates and patches are yet to be applied to the vulnerable devices as at this moment, Cisco hence advices their customers who uses the Cisco ACI Multi-Site CloudSec encryption feature on the devices Nexus 9332C, Nexus 9364C, Nexus N9K-X9736C-FX line cards to disable them and contact the support organization for alternative options.
Cisco commented that the vulnerability was as a result of the ciphers implementations used in the CloudSec encryption in the said affected switches. They further describe that an attacker with an on-path position, between ACI-sites could take advantage of this vulnerability by intercepting encrypted traffic, and subsequently breaking them using cryptanalysis method. This allows them to not just intercept the traffic, and read its contents, but also modify them as well; between transmission.
John Bambenek (Principal threat hunter at NetEnrich) stated:
“Being able to intercept, decrypt, and potentially modify traffic is a significant issue, especially in data centres where sensitive data is stored and accessed.
For cisco to tell its customers to disable the device tells me all I need to know about the severity of this vulnerability and I would advise anyone to contact support to figure out how to move forward” – SC Media.
It is certainly known that this advisory is quite a serious issue, as it not just the fact that traffics can be intercepted, but also that the encryption algorithm can be broken, causing the lateral movement across the network and disclosure of sensitive data.
Cisco advising its customers and clients using these devices to disable and contact their support team, while not disclosing the alternative option to prevent threat actors from exploiting them as well, is also a sign on the severity of the situation.
A deep dive into the alternative, limited to users just disabling the device and contacting the Cisco support team, will cause business disruption and impact on the network functionality using these vulnerable devices.
Cisco issued a statement on their official website that there are no work arounds, that addresses this vulnerability, neither are there any software updates.
Furthermore, they disclosed of not being aware of any malicious use of the vulnerability that was stated in the advisory, that it was only discovered during their PSIRT (Product Incidence Response Team), internal testing procedures.
Please do let us know in the comment section what are your thoughts about this.