Endpoint/Device Security, Network Security

High-severity bug in Cisco data center switches lets attackers break into encrypted traffic

Cisco Systems Inc. logo

Cisco on Wednesday warned customers about a high-severity (7.4 CVSS) vulnerability in some of its data center switch models that would let attackers break into encrypted traffic.

As of Thursday, Cisco had not released software updates to address the vulnerability and there are no workarounds that address this flaw.

The vulnerability — CVE-2023-20185 — was found during internal security testing in the ACI Multi-Site CloudSec encryption feature of data center Cisco Nexus 9000 Series Fabric Switches. Cisco said the bug could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic.

Cisco advised customers who currently use the Cisco ACI Multi-Site CloudSec encryption feature for the Cisco Nexus 9332C, Nexus 9364C switches and the Cisco Nexus N9K-X9736C-FX Line Card to disable it and contact their support organization to evaluate alternative options.

In its advisory, Cisco said the vulnerability was caused by an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches. The networking vendor said an attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to read or modify the traffic that's transmitted between the sites, said Cisco.

John Bambenek, principal threat hunter at Netenrich said he’s not quite sure he’s ever seen a vendor say there are no updates and that they should unplug the device and find another product instead.

“Being able to intercept and decrypt and potentially modify traffic is a significant issue, especially in data centers where sensitive data is stored and accessed,” said Bambenek. "For Cisco to tell its customers to disable the device tells me all I need to know about the severity of this vulnerability and I would advise anyone to contact support to figure out how to move forward.”

Phil Neray, vice president of cyber defense strategy at CardinalOps, added that the advisory is deliberately vague about the weakness in Cisco's encryption algorithm that would let an adversary read or modify the traffic.

“It’s a serious issue because it enables adversaries to access sensitive data, as well as move laterally across the network,” said Neray. “Cisco recommends disabling the feature and contacting support to evaluate alternative options, which are also not described in order to prevent adversaries from exploiting them as well.”

Callie Guenther, cyber threat research senior manager at Critical Start, pointed out that considering the severity of the vulnerability and the absence of patches, Cisco has advised customers to disable the affected Nexus 9000 switches — a move that may cause operational disruptions and impact network functionality.

“It’s a proactive measure aimed at mitigating potential risks until an official patch becomes available,” Guenther said. “We urge organizations to follow Cisco's guidance and disable the affected switches as a precautionary measure. By taking this action, organizations can minimize exposure to possible exploits.”

Cisco issued a statement on this case late Thursday afternoon: "Per our standard PSIRT process, Cisco has reported this vulnerability to MITRE and NIST and we anticipate it populating in their tools by end of today, July 6. Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.