Cisco warns end users that their Cisco Nexus 9000 Series Fabric Switches in ACI mode are vulnerable and can lead to “unauthenticated, remote attacker to read or modify intersite encrypted traffic.” According to Cisco, this vulnerability stems from the ciphers used by the CloudSec encryption feature on the switches. An attacker wishing to exploit this vulnerability can intercept the encrypted traffic and use cryptanalytic techniques to decipher the traffic between sites remotely.
It’s important to note, that his vulnerability only affects the Cisco Nexus 9332C, 9364C, and 9500 spine switches which are bundled with Nexus N9K-X9736C-FX Line Cards, part of a multi-site topology if they are in ACI mode, and if they are running the encryption mode available, with firmware 14.0 and later releases. There are currently no patches for this vulnerability.
Checking the Status of CloudSec Feature
To determine whether CloudSec encryption is in use in an ACI site, choose Infrastructure > Site Connectivity > Configure > Sites > site-name > Inter-Site Connectivity on the Cisco Nexus Dashboard Orchestrator (NDO) and check if CloudSec Encryption is marked Enabled.
To determine whether CloudSec encryption is in use on a Cisco Nexus 9000 Series Spine Switch, use the show cloudsec sa interface all command at the switch CLI. If the command returns Operational Status output for any interface, CloudSec encryption is enabled.
Recommendations:
Since there are currently no patches for this exploit it is advised to seek out alternative solutions by your IT support team until it is remediated.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX
