CVE-2023-20185: Cisco ACI Multi-Site CloudSec Encryption Vulnerability

CVE-2023-20185

Cisco on Wednesday announced patches for a high vulnerability in its Cisco Nexus 9000 Series Fabric Switches, designated as CVE-2023-20185 with a CVSS score of 7.4.

This vulnerability, buried deep within the Cisco ACI Multi-Site CloudSec encryption feature, presents a potential backdoor for unauthorized, remote attackers to access and modify intersite encrypted traffic on Cisco Nexus 9000 Series Fabric Switches in ACI mode. An inherent flaw in the implementation of the ciphers used by the CloudSec encryption feature is to blame for this unsettling security lapse.

While the labyrinth of cyberspace may seem vast and insurmountable, an attacker stationed at an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic. By employing sophisticated cryptanalytic techniques, the attacker could fracture the encryption, thereby gaining unhindered access to read or modify the transmittal traffic between sites.

In the face of this alarming revelation, it is regrettable to report that Cisco has yet to release any software updates addressing this critical vulnerability. Moreover, no alternative workarounds have been found to counter this weakness.

The CVE-2023-20185 security loophole is specific to Cisco Nexus 9000 Series Fabric Switches in ACI mode running releases 14.0 and later, but only if they are a part of a Multi-Site topology with the CloudSec encryption feature enabled. This feature currently necessitates the usage of Cisco Nexus 9332C or Cisco Nexus 9364C Fixed Spine Switches, or Cisco Nexus 9500 Spine Switches that are equipped with a Cisco Nexus N9K-X9736C-FX Line Card.

Determining the status of the CloudSec feature can be achieved by following the Cisco Nexus Dashboard Orchestrator (NDO) and checking if CloudSec Encryption is marked as enabled. For Cisco Nexus 9000 Series Spine Switch, the command ‘show cloudsec sa interface all‘ will reveal the operational status of any interface.

In the absence of any software updates from Cisco, customers using the Cisco ACI Multi-Site CloudSec encryption feature are strongly advised to disable it and reach out to their support organization to evaluate alternative options. As of this writing, there have been no public announcements or known malicious uses of this vulnerability, offering a glimmer of hope in these otherwise dire circumstances.