Cisco Systems Inc. published a security advisory Wednesday warning customers of a high-severity vulnerability in its Nexus 9000 Series Fabric Switches in ACI mode that could allow an unauthenticated, remote attacker to read or modify inter-site encrypted traffic.

The vulnerability, designated CVE-2023-20185, stems from a problem in the implementation of the ciphers used by the switches’ CloudSec encryption feature. If an attacker is in an on-path position between the ACI sites, they could exploit the vulnerability by intercepting the encrypted traffic and breaking the encryption using cryptanalytic techniques.

Devices affected by the vulnerability include Cisco Nexus 9000 Series Fabric Switches in ACI mode running releases 14.0 and later if they are part of a multi-site topology and have the CloudSec encryption feature enabled. Cisco Nexus 9332C, Nexus 9364C Fixed Spine Switches and Cisco Nexus 9500 Spine Switches equipped with a Cisco Nexus N9K-X9736C-FX Line Card also use CloudSec encryption.

Cisco has not released software updates that address this vulnerability and there is currently no known workaround. Customers that are using the Cisco ACI Multi-Site CloudSec encryption feature for the Cisco Nexus 9332C and Nexus 9364C Switches and the Cisco Nexus N9K-X9736C-FX Line Card are advised to disable the switches.

“Given the limited information available at the moment, it appears that the vulnerability would be difficult to exploit but, if successful, an attacker would gain unencrypted access to otherwise secure network traffic,” Mike Parkin, senior technical engineer at cyber risk management company Vulcan Cyber Ltd., told SiliconANGLE. “How damaging that would be depends on the nature of the traffic they were seeing. We can only hope that Cisco will release patches to correct the issue quickly.”

John Bambenek, principal threat hunter at security and operations analytics company Netenrich Inc., highlighted the rather strange aspects of the notice, saying that he’s not sure he has ever seen a company say there are no updates and that they should unplug the device and find another product instead.

“Being able to intercept and decrypt and potentially modify traffic is a significant issue, especially in data centers where sensitive data is stored and accessed,” Bambenek added. “For Cisco to tell its customers to disable the device tells me all I need to know about the severity of this vulnerability and I would advise anyone to contact support to figure out how to move forward.”

Photo: Rawpixel