Cisco warns of a security flaw in Nexus 9000 series switch

An unauthenticated attacker may exploit the vulnerability to tamper with encrypted traffic, the company says

Cisco warns of a security flaw in Nexus 9000 series switch

Image:
Cisco warns of a security flaw in Nexus 9000 series switch

Cisco recommends that customers using vulnerable switches should disable ACI multi-site CloudSec encryption until a fix is provided

Cisco has released an advisory about a security vulnerability in the Nexus 9000 series switches that could enable an unauthorised remote attacker to read or alter encrypted traffic exchanged between different sites.

The vulnerability, assigned the identifier CVE-2023-20185, impacts Cisco Nexus 9000 Series Fabric Switches operating in ACI mode with releases 14.0 and beyond if they are part of a multi-site topology and have the CloudSec encryption feature activated.

CloudSec encryption is a feature of Cisco Nexus 9332C, Cisco Nexus 9364C Fixed Spine Switches and the Cisco Nexus 9500 Spine Switches equipped with a Cisco Nexus N9K-X9736C-FX Line Card.

Cisco says it currently has no knowledge of any public disclosures or instances of malicious exploitation related to the mentioned vulnerability.

The flaw in the ACI Multi-Site CloudSec encryption feature was discovered during an internal security testing of datacentre Cisco Nexus 9000 Series Fabric Switches.

The vulnerability arises from an implementation issue with the ciphers used by the CloudSec encryption feature on the affected switches, according to the company.

"An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption," Cisco said.

Cisco has confirmed that CVE-2023-20185 does not impact Cisco Nexus 9000 Series Switches operating in standalone NX-OS mode.

Cisco has not yet issued any software updates to address the vulnerability. Additionally, there are no known workarounds available to mitigate or resolve the bug.

To address this vulnerability, Cisco suggests that customers utilising vulnerable switches should disable the ACI multi-site CloudSec encryption feature.

In addition, they are also advised to consult their support organisation for further guidance on exploring alternative solutions.

To verify whether CloudSec encryption is being used in an ACI site, users can follow these steps:

  1. Access the Cisco Nexus Dashboard Orchestrator (NDO).
  2. Navigate to Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity.
  3. Check if the CloudSec Encryption option is marked as "Enabled."

Prime Collaboration Deployment vulnerability

Cisco is also engaged in the process of addressing a vulnerability found in its Prime Collaboration Deployment (PCD) software. The bug, identified as CVE-2023-20060, was discovered in the web-based management interface of Cisco PCD versions 14 and earlier.

If successfully exploited, this vulnerability could enable a remote unauthenticated attacker to execute cross-site scripting attacks, albeit with the prerequisite of user interaction.

In May, Cisco released security updates to address four critical RCE vulnerabilities that affected multiple Small Business Series Switches. These vulnerabilities were deemed critical due to the potential for attackers to execute malicious code remotely, with root privileges on affected devices.

Each of these vulnerabilities was assigned a CVSS severity score of 9.8 out of 10, indicating their critical nature and the urgent need for remediation to prevent potential exploitation.

This year, Cisco has patched other Small Business products, notably the RV Series routers in February. Attackers could use those vulnerabilities to carry out actions including RCE and unauthorised access to corporate networks, often without requiring authentication.