On July 5, Cisco released a security advisory warning users of a “vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode.”
The networking and cybersecurity solutions company has no plans to release software updates to address the vulnerability, and there are no workarounds. IT teams are now faced with responding to a patchless vulnerability.
The Cisco Vulnerability
The vulnerability (CVE-2023-20185) impacts Cisco Nexus 9000 Series Fabric Switches in Application Center Infrastructure (ACI) mode that run releases 14.0 and later, specifically if the data switching gear is a part of Multi-Site topology and uses the CloudSec encryption feature, according to the security advisory.
“The high-severity vulnerability could allow sensitive user and company data to be read, modified, or exploited by bad actors that are intercepting encrypted traffic and/or using cryptanalytic techniques to break the encryption,” George Gerchow, CSO and SVP of IT at SaaS analytics platform Sumo Logic, tells InformationWeek. He is also on the faculty with the cybersecurity research firm Institute for Applied Network Security (IANS).
Successful exploitation of this vulnerability could have wide-ranging consequences. In addition to manipulation of traffic between ACI sites, bad actors could leverage the vulnerability to lead to broader security breaches. “If attackers gain unauthorized access to the network through this vulnerability, it could potentially open pathways for further exploitation or lateral movement within the network,” explains Callie Guenther, senior manager of cyber threat research at managed detection and cybersecurity company Critical Start.
Thus far, Cisco’s Product Security Incident Response Team (PSIRT) has not found any indication that the vulnerability has been exploited, according to the security advisory and an emailed statement.
The company recommends that customers using its ACI Multi-Site CloudSec encryption feature on certain Nexus Series Switches and Line Cards immediately disable the feature. The security advisory includes directions on how to determine the status of the CloudSec feature. The company recommends users reach out to their Cisco support organization to talk about alternatives.
The Potential Impact
The lack of patch and workaround for the vulnerability is not typical, and it likely indicates a complex issue, according to Guenther. “It signifies that the vulnerability may be deeply rooted in the design or implementation of the affected feature,” she says.
With no workarounds or forthcoming patch, what can IT teams do in response to this vulnerability?
Before taking a specific action, IT teams need to consider whether this vulnerability impacts their organization. “I have seen companies go into a panic, only to find out that a particular issue didn’t really affect them,” says Alan Brill, senior managing director in the Kroll Cyber Risk Practice and fellow of the Kroll Institute, a risk and financial advisory solutions company.
When determining potential impact, it is important for IT teams to take a broad view. The vulnerability may not directly impact an organization, but what about its supply chain? Third-party risk is an important consideration.
If an IT team determines that the vulnerability does impact their organization, what is the risk level? How likely is threat actor exploitation?
In some cases, the risk may be small enough that it does not require a response. “Document your decision and thinking to demonstrate that an analysis was done and to show that a decision not to respond to the particular problem was a reasonable one,” Brill recommends.
In other cases, Cisco customers will need to act. This may mean disabling the function and considering alternatives, but these responses are not without complications.
The feature in question could be critical to an organization’s network infrastructure function. Disabling it could mean operational disruptions and limited network functionality.
Once the feature is disabled, IT teams may need to find alternate configurations to address the loss of functionality. “This might involve reconfiguring network paths, adjusting security policies, or implementing alternate encryption mechanisms,” says Guenther. “Such reconfigurations can be complex and time-consuming, especially in large-scale environments with intricate network architectures.”
Disabling the feature and introducing an alternative configuration will require impact assessment and testing. How will disabling the feature impact network performance and security? Will an alternative introduce new potential risks?
“Disabling the CloudSec encryption provides potential access in clear text to organizational data, a risk that malicious actors are now aware of and may seek to exploit,” says Gerchow.
Preparing for Future Vulnerabilities
While a patchless vulnerability may stand out, it is likely that it will happen again. “Given the complexity of the software — and the embedded code can be the source of problems for a lot of packages — I think it’s really a matter of when it happens again, not if it will ever happen again,” says Brill.
Gerchow argues that IT leaders should push for a move to SaaS and public cloud solutions. “The lack of a patch or workaround from Cisco leaves customers in a vulnerable position, whereas SaaS and public cloud providers bear the responsibility for maintaining the security of the infrastructure,” he says.
IT teams will inevitably need to address other software vulnerabilities, whether they can be patched or not, in the future. Strengthening an organization’s security posture, understanding risk, communicating with vendors, and having a strong incident response plan in place can help them prepare for the next one.
“Having a plan, having management’s backing, and understanding and carrying through on the plan is the best solution when faced with this kind of problem,” says Brill.